**Demonstrating CVE-2025-23320**
This repo replicates CVE-2025-23320, demonstrating CWE-209, Generation of Error Message Containing Sensitive Information(CVSS Score: 7.5). This vulnerability exists on all NVIDIA Triton inference servers 25.06 and before.
This docker setup runs a network containing an NVIDIA triton inference server and an attacking client. This environment also ensures the client runs on linux, so the CVE is replicable on all operating systems.
**To build/run**
docker compose --build-no-cache
if this is the first time running, this could take a while, as this pulls the NVIDIA triton server version 25.06 image from github
Then:
docker compose up
**POC**
The attacking client script is run automatically, outputting an error message in the form: Failed to increase the shared memory pool size for key 'triton_python_backend_shm_region_8a463f1a-fcd6-4c1b-b4b5-df63f9c512ad' to 54525952 bytes.
After obtaining this key, an attacker can perform numerous actions. In our code implementation, the attacker utilized Triton's unregister API. Since Triton does not verify who is invoking this API, the function will execute. If the attacker subsequently uses the register function, successfully triggering a race condition, it will result in an out-of-bounds (OOB) write.
[4.0K] /data/pocs/6de5c76d73e00fe3b86727e0c572ed770a7d61f2
├── [4.0K] client
│ ├── [2.7K] attacker.py
│ ├── [ 714] Dockerfile
│ └── [2.7K] victim.py
├── [ 906] docker-compose.yml
├── [4.0K] models
│ └── [4.0K] identity
│ ├── [4.0K] 1
│ │ └── [ 835] model.py
│ └── [ 244] config.pbtxt
└── [1.3K] README.md
5 directories, 7 files