New CVEs in NVIDIA Triton Threaten AI Model Security

Multiple high-severity vulnerabilities in NVIDIA’s Triton Inference Server could allow unauthenticated attackers to execute remote code, compromise AI models, and disrupt production environments.

NVIDIA Triton AI Server Bugs Could Let Remote Attackers Hijack AI Infrastructure

By El Mostafa Ouchen | August 4, 2025

In a startling discovery that could impact a wide swath of AI-powered enterprises, cybersecurity researchers have identified several critical vulnerabilities in NVIDIA’s Triton Inference Server, a widely used platform for deploying machine learning models at scale.

The vulnerabilities—disclosed in early August—enable unauthenticated attackers to perform remote code execution (RCE), compromise running AI models, extract sensitive data, or completely disrupt inference workloads hosted in production.

“The implications here are enormous—this isn’t just about downtime,” said Lina Erman, senior AI security analyst at SecSight. “A successful exploit could allow an attacker to manipulate AI outputs or steal proprietary model data.”

NVIDIA has released security updates addressing the flaws in Triton versions prior to 2.41.0, and CVE identifiers have been assigned to track each vulnerability.

What Is NVIDIA Triton?

NVIDIA Triton Inference Server is a high-performance open-source solution designed to serve AI/ML models in production environments. It supports popular frameworks such as TensorFlow, PyTorch, ONNX Runtime, and TensorRT, and is deployed across industries—from finance and healthcare to autonomous vehicles and national security systems.

Due to its ability to scale inference tasks across GPUs and CPUs, Triton is often integrated into Kubernetes clusters, edge devices, and cloud-native architectures.

Details of the Vulnerabilities

The vulnerabilities, discovered by cybersecurity firm Sentry Labs, include the following critical flaws:

• CVE-2025-31031 – Improper input validation in the infer API could allow arbitrary code execution by submitting malicious inference requests.
• CVE-2025-31032 – A flaw in the model repository backend permits path traversal, allowing attackers to read or overwrite model configuration files.
• CVE-2025-31033 – Memory corruption vulnerability in the gRPC service could lead to denial of service or RCE.

These flaws are triggerable without authentication, making exposed Triton endpoints especially vulnerable if not protected by firewalls, reverse proxies, or API gateways.

Broader Implications: AI Security and Model Integrity

As enterprises integrate AI into core operations, inference infrastructure becomes a critical target. If an attacker gains access to inference servers, they could:

• Manipulate AI model predictions (e.g., fraud detection, facial recognition)
• Steal trained proprietary models and training data
• Inject adversarial examples or poisoned data
• Disrupt AI-driven decision-making systems

“AI systems are only as secure as the infrastructure behind them,” said Erman. “Inference servers need the same rigor in patching and hardening as any other mission-critical service.”

Recommendations and Mitigation

NVIDIA urges all Triton users to:

• Upgrade to version 2.41.0 or later immediately
• Ensure inference endpoints are not directly exposed to the internet
• Enforce network segmentation and zero trust architecture
• Enable TLS encryption and API authentication where possible
• Monitor Triton service logs for anomalous inference requests

Cloud providers and MLOps teams managing Triton in containerized environments should also validate Kubernetes pod security policies and storage configurations.