RCE in NVIDIA NeMo model loading via malicious .nemo metadata
CVE-2025-23304 is a high-severity vulnerability in NVIDIA NeMo’s model loading component. NeMo .nemo and .qnemo model files are TAR-based archives that include model metadata (for example, model_config.yaml) alongside model weights. Prior to the fix, NeMo passed metadata from these model files into Meta Hydra’s hydra.utils.instantiate() without sufficient validation or sanitization. Because Hydra instantiate() can invoke arbitrary Python callables rather than only safe class constructors, an attacker can craft model metadata so that loading a malicious .nemo file causes execution of attacker-controlled code, including via dangerous targets such as builtins.exec, builtins.eval, or os.system. NVIDIA addressed the issue in NeMo 2.3.2 by adding configuration validation and an allow list of approved packages and expected imports. Successful exploitation may result in remote code execution and data tampering.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An RCE vulnerability affecting NVIDIA’s NeMo AI/ML Python library where loading a model containing malicious metadata can lead to code execution via Hydra’s instantiate mechanism.
High-severity remote code execution risk in Nvidia NeMo where untrusted model metadata is passed to Hydra’s hydra.utils.instantiate(), enabling attackers to invoke arbitrary callables (e.g., eval/os.system) when a poisoned model file is loaded.
Remote code execution risk in Nvidia’s NeMo Python AI library when loading a compromised model file: attacker-controlled model metadata is passed into Hydra’s instantiate() without sufficient validation, allowing execution of arbitrary callables (e.g., builtins.exec, eval, os.system).
Remote code execution risk in Nvidia’s NeMo Python AI library due to unsafe use of Hydra’s instantiate() on untrusted model metadata, allowing attackers to execute arbitrary callables (e.g., builtins.exec, eval, os.system) when a compromised model file is loaded.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.