CVE-2025-33246

NVIDIA NeMo Framework for all platforms contains a vulnerability in the ASR Evaluator utility, where a user could cause a command injection by supplying crafted input to a configuration parameter. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, or information disclosure.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://nvd.nist.gov/vuln/detail/CVE-2025-33246	US Government Resource VDB Entry
https://nvidia.custhelp.com/app/answers/detail/a_id/5762	Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2025-33246	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nvidia:nemo:*:*:*:*:*:*:*:*

History

17 Jun 2026, 09:13

Type	Values Removed	Values Added
Summary		(es) El NVIDIA NeMo Framework para todas las plataformas contiene una vulnerabilidad en la utilidad ASR Evaluator, donde un usuario podría causar una inyección de comandos al proporcionar una entrada manipulada a un parámetro de configuración. Un exploit exitoso de esta vulnerabilidad podría conducir a la ejecución de código, escalada de privilegios, manipulación de datos o revelación de información.

20 Feb 2026, 19:41

Type	Values Removed	Values Added
References	~~() https://nvd.nist.gov/vuln/detail/CVE-2025-33246 -~~	() https://nvd.nist.gov/vuln/detail/CVE-2025-33246 - US Government Resource, VDB Entry
References	~~() https://nvidia.custhelp.com/app/answers/detail/a_id/5762 -~~	() https://nvidia.custhelp.com/app/answers/detail/a_id/5762 - Vendor Advisory
References	~~() https://www.cve.org/CVERecord?id=CVE-2025-33246 -~~	() https://www.cve.org/CVERecord?id=CVE-2025-33246 - Third Party Advisory
CPE		cpe:2.3:a:nvidia:nemo::::::::
First Time		Nvidia nemo Nvidia

18 Feb 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-18 14:16

Updated : 2026-06-17 09:13

NVD link : CVE-2025-33246

Mitre link : CVE-2025-33246

CVE.ORG link : CVE-2025-33246

JSON object : View

Products Affected

nvidia

nemo

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2025-33246", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-33246", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T04:55:41.590027Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "psirt@nvidia.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "affected": [{"source": "psirt@nvidia.com", "affectedData": [{"vendor": "NVIDIA", "product": "NeMo Framework", "versions": [{"status": "affected", "version": "All versions prior to 2.6.1"}], "platforms": ["All platforms"], "defaultStatus": "unaffected"}]}], "published": "2026-02-18T14:16:03.393", "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33246", "tags": ["US Government Resource", "VDB Entry"], "source": "psirt@nvidia.com"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5762", "tags": ["Vendor Advisory"], "source": "psirt@nvidia.com"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-33246", "tags": ["Third Party Advisory"], "source": "psirt@nvidia.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@nvidia.com", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "NVIDIA NeMo Framework for all platforms contains a vulnerability in the ASR Evaluator utility, where a user could cause a command injection by supplying crafted input to a configuration parameter. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, or information disclosure."}, {"lang": "es", "value": "El NVIDIA NeMo Framework para todas las plataformas contiene una vulnerabilidad en la utilidad ASR Evaluator, donde un usuario podr\u00eda causar una inyecci\u00f3n de comandos al proporcionar una entrada manipulada a un par\u00e1metro de configuraci\u00f3n. Un exploit exitoso de esta vulnerabilidad podr\u00eda conducir a la ejecuci\u00f3n de c\u00f3digo, escalada de privilegios, manipulaci\u00f3n de datos o revelaci\u00f3n de informaci\u00f3n."}], "lastModified": "2026-06-17T09:13:18.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:nemo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "839C9684-563A-4FBF-9B55-262A9EDA8C1A", "versionEndExcluding": "2.6.1"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@nvidia.com"}