Nvidia Triton Server RCE: Chained Python Backend Flaws Exposed
Security researchers have uncovered a series of high-severity vulnerabilities in Nvidia’s Triton Inference Server that, when exploited in sequence, could lead to a complete system compromise. The flaws were detailed by Wiz Research, which reported them to Nvidia, leading to the release of patches.
Successful exploitation of these vulnerabilities could result in significant consequences, including the theft of valuable AI models, breaches of sensitive data, manipulation of AI model responses, and attackers gaining a foothold to move deeper into an organization’s network.
Nvidia’s Triton Inference Server is an open-source platform designed to efficiently run and serve AI models from various major AI frameworks to user-facing applications. It achieves this flexibility through different “backends,” each tailored for a specific framework. The server’s Python backend is particularly versatile, supporting not only Python-based models but also being utilized by other frameworks. This broad reliance on the Python backend means that any security weaknesses within it could potentially affect a large number of organizations using Triton.
The exploitation chain begins with the first vulnerability, identified as CVE-2025-23320 (with a severity score of 7.5). This bug resides in the Python backend and can be triggered by sending an exceptionally large request that exceeds the shared memory limit. When this occurs, the server generates an error message that inadvertently reveals the unique name, or key, of the backend’s internal Inter-Process Communication (IPC) shared memory region.
With this crucial piece of information, attackers can then leverage a public shared memory API to take control of the Triton Inference Server. This API suffers from inadequate validation, making it susceptible to out-of-bounds write and read vulnerabilities, tracked as CVE-2025-23319 (severity 8.1) and CVE-2025-23334 (severity 5.9), respectively. The API fails to properly verify if an attacker-supplied key, even if it’s the unique shared memory name obtained from the first flaw, corresponds to a legitimate user-owned memory region or a private internal one. This oversight allows Triton to accept an attacker’s request to register an endpoint, granting them unauthorized read and write access to that memory region. By manipulating the backend’s shared memory, attackers can ultimately achieve full control over the server.
Wiz Research has not indicated whether this chain of vulnerabilities has been exploited in real-world attacks, stating that they are currently withholding further details.
The research team emphasized the significance of their findings, noting, “This research demonstrates how a series of seemingly minor flaws can be chained together to create a significant exploit.” They added that a verbose error message combined with a feature in the main server that could be misused was sufficient to create a path to potential system compromise. “As companies deploy AI and ML more widely, securing the underlying infrastructure is paramount,” the team stated, highlighting the critical importance of a defense-in-depth strategy where security is considered at every layer of an application.
Nvidia has confirmed that all three security flaws were addressed in version 25.07 of Triton Inference Server, which was released on August 4. All previous versions are vulnerable. Wiz Research extended their gratitude to the Nvidia security team for their “excellent collaboration and swift response” and strongly recommended that all Triton Inference Server users update to the latest version immediately to mitigate these risks.
Triton Inference Server has been widely adopted by organizations of various sizes for several years. Earlier this year, Nvidia introduced Dynamo, which is positioned as the successor to Triton.