- Researchers disclosed serious security issues in the NVIDIA Triton Inference Server used for AI models.
- The vulnerabilities could allow attackers to take full control of servers remotely and without credentials.
- Three flaws in the server’s Python backend could be chained for remote code execution or data theft.
- NVIDIA fixed the issues in version 25.07 and addressed three additional critical bugs.
- There are no reports of attacks so far, but users are urged to update for protection.
A set of security flaws was recently found in the NVIDIA Triton Inference Server, an open-source platform that runs Artificial Intelligence (AI) models at scale on Windows and Linux. According to researchers at Wiz, these problems could let a remote attacker take over a vulnerable server, gaining full control without needing to log in.
The three main vulnerabilities, identified as CVE-2025-23319 (CVSS 8.1), CVE-2025-23320 (CVSS 7.5), and CVE-2025-23334 (CVSS 5.9), affect the Triton server’s Python backend. One flaw allows out-of-bounds writing, another can exceed the server’s memory limits, and the third enables reading out-of-bounds memory. Together, these issues could result in attackers executing their own code, denying service, or stealing information.
“When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE),” explained Wiz’s Ronen Shustin and Nir Ohfeld in their report.
The vulnerabilities are rooted in how the Python backend handles requests for AI models from frameworks like PyTorch and TensorFlow. Attackers could use one weakness to leak the server’s private memory region name, then apply the other flaws to take over the system. This risk includes theft of AI models, exposure of sensitive data, or changing the results that AI models generate.
In its August security bulletin, NVIDIA also addressed three additional issues: CVE-2025-23310, CVE-2025-23311, and CVE-2025-23317. These could let attackers execute their own code, cause denial of service, expose information, or tamper with data if left patched.
There is no current evidence of these vulnerabilities being used in real attacks. Users of the Triton Inference Server are advised to update to version 25.07 or later for full protection.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
