Vulnerabilities in Nvidia's Triton Inference Server enable complete system takeover.
A chain of critical remote code execution (RCE) vulnerabilities affecting the Python backend of NVIDIA's Triton Inference Server was disclosed in 2025. These vulnerabilities, identified as CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334, pose a significant security risk to organizations running scalable AI inference models with Triton.
The vulnerabilities allow unauthenticated remote attackers to gain full control over the server, potentially leading to consequences such as AI model theft, sensitive data breaches, manipulation of AI model responses, or attackers moving into other areas of the network.
The first vulnerability (CVE-2025-23320) is a bug in the Python backend, triggered by exceeding the shared memory limit, causing an error message that reveals the unique name of the backend's internal IPC shared memory region. Attackers can use this unique memory region name to take control of a Triton Inference Server by combining it with the public shared memory API.
The second and third vulnerabilities (CVE-2025-23319 and CVE-2025-23334) are out-of-bounds write and read bugs in the API, respectively, which can be exploited due to sub-par validation. These vulnerabilities affect Triton's Python backend, making organizations that rely on this backend potentially more vulnerable.
Exploitation of these vulnerabilities can cause remote code execution, data tampering, denial of service, and information disclosure. The vulnerability chain enables attackers to execute arbitrary code without authentication, altering server behavior and potentially seizing control over AI workloads.
NVIDIA has acknowledged these vulnerabilities and released patches fixing these issues in the Triton 25.07 update on August 4, 2025. Users are strongly advised to upgrade immediately to mitigate risks.
In addition to these vulnerabilities, another pair of significant remotely accessible memory corruption bugs (CVE-2025-23310 and CVE-2025-23311) were independently discovered by Trail of Bits researchers and patched in the same Triton 25.07 release.
Recommended actions include updating Triton Inference Server to version 25.07 or later, reviewing network and access controls around AI inference infrastructure, and monitoring for unusual activity indicative of misuse of the Triton service.
Organizations running scalable AI inference models with NVIDIA Triton should take immediate action to protect their infrastructure from these critical vulnerabilities.
[1] Link to the official NVIDIA advisory [2] Link to the Wiz research disclosure [3] Link to the Trail of Bits research disclosure [4] Link to the NVIDIA security bulletin [5] Link to the CVE details page
- The disclosed chain of RCE vulnerabilities, CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334, in NVIDIA's Triton Inference Server poses a significant security risk for organizations running AI inference models, potentially leading to incidents like AI model theft, data breaches, AI model response manipulation, and network infiltration.
- The first vulnerability, CVE-2025-23320, is a bug in the Python backend that, when memory limits are exceeded, reveals the unique name of the backend's internal IPC shared memory region, allowing attackers to gain control of the server using the public shared memory API.
- The second and third vulnerabilities, CVE-2025-23319 and CVE-2025-23334, are out-of-bounds write and read bugs in the API, respectively, which can be exploited due to insufficient validation, making organizations relying on the Python backend more vulnerable to attacks.
- NVIDIA has released patches addressing these vulnerabilities in the Triton 25.07 update on August 4, 2025, and it is strongly recommended for users to upgrade to mitigate risks.
- Additionally, another pair of remotely accessible memory corruption bugs, CVE-2025-23310 and CVE-2025-23311, were discovered independently by Trail of Bits researchers and have been patched in the same Triton 25.07 release.
- To protect their infrastructure from these critical vulnerabilities, organizations running scalable AI inference models with NVIDIA Triton should take immediate action, such as updating to Triton 25.07 or later, reviewing network and access controls, and monitoring for signs of misuse.
