CyberSecurity news
FlagThis
@cyberpress.org
//
NVIDIA has issued a critical security update for its TensorRT-LLM framework to address a high-severity vulnerability, identified as CVE-2025-23254. This flaw poses significant risks, potentially leading to remote code execution, data tampering, and information disclosure. All platforms and versions of TensorRT-LLM prior to 0.18.2 are affected, making this update essential for users to safeguard their systems against potential attacks. The vulnerability resides in the Python executor component of TensorRT-LLM and stems from insecure handling of Inter-Process Communication (IPC).
The specific weakness lies in the Python pickle module's utilization for serialization and deserialization within the socket-based IPC system. An attacker with local access to the TRTLLM server could exploit this by injecting malicious code, gaining unauthorized access to sensitive data, or manipulating existing data. NVIDIA has assigned a CVSS base score of 8.8 to this vulnerability, classifying it as high severity, with the underlying technical risk categorized as "Deserialization of Untrusted Data" (CWE-502). Avi Lumelsky of Oligo Security is credited with responsibly reporting the vulnerability.
To mitigate this threat, NVIDIA has implemented HMAC (Hash-Based Message Authentication Code) encryption by default for all socket-based IPC operations in both the main and release branches of TensorRT-LLM. This security enhancement ensures the integrity and authenticity of serialized data exchanged between processes, preventing unauthorized code execution. NVIDIA strongly advises users not to disable this encryption feature, as doing so would reintroduce the vulnerability and leave systems vulnerable to potential attacks. Users are urged to immediately update to TensorRT-LLM version 0.18.2 or later to fully address the identified risks.
ImgSrc: blogger.googleu
References :
The specific weakness lies in the Python pickle module's utilization for serialization and deserialization within the socket-based IPC system. An attacker with local access to the TRTLLM server could exploit this by injecting malicious code, gaining unauthorized access to sensitive data, or manipulating existing data. NVIDIA has assigned a CVSS base score of 8.8 to this vulnerability, classifying it as high severity, with the underlying technical risk categorized as "Deserialization of Untrusted Data" (CWE-502). Avi Lumelsky of Oligo Security is credited with responsibly reporting the vulnerability.
To mitigate this threat, NVIDIA has implemented HMAC (Hash-Based Message Authentication Code) encryption by default for all socket-based IPC operations in both the main and release branches of TensorRT-LLM. This security enhancement ensures the integrity and authenticity of serialized data exchanged between processes, preventing unauthorized code execution. NVIDIA strongly advises users not to disable this encryption feature, as doing so would reintroduce the vulnerability and leave systems vulnerable to potential attacks. Users are urged to immediately update to TensorRT-LLM version 0.18.2 or later to fully address the identified risks.
ImgSrc: blogger.googleu
Share:
References :
- Cyber Security News: NVIDIA has released a crucial security update for its TensorRT-LLM Framework, addressing a high-severity vulnerability that could expose users to significant risks, including remote code execution, data tampering, and information disclosure. The vulnerability, tracked as CVE-2025-23254, affects all platforms and all versions of TensorRT-LLM before 0.18.2. Vulnerability Details The flaw resides in the Python executor
- securityonline.info: NVIDIA has released a security update for its TensorRT-LLM Framework, addressing a high-severity vulnerability that could expose users The post appeared first on .
- gbhackers.com: NVIDIA has issued an urgent security advisory after discovering a significant vulnerability (CVE-2025-23254) in its popular TensorRT-LLM framework, urging all users to update to the latest version (0.18.2) to safeguard their systems against potential attacks. Overview of the Vulnerability The vulnerability, identified as CVE-2025-23254, affects all versions of the NVIDIA TensorRT-LLM framework before 0.18.2 across
Classification:
- HashTags: #NVIDIA #TensorRT #Vulnerability
- Company: NVIDIA
- Target: NVIDIA TensorRT-LLM Users
- Attacker: APT Group
- Product: TensorRT-LLM
- Feature: TensorRT-LLM
- Malware: CVE-2025-23254
- Type: Vulnerability
- Severity: Major