Preface: NeMo 2.0 is NVIDIA’s major modernization of the NeMo ecosystem.
Two things to remember about NeMo 2.0:
1. NeMo 2.0 is the training & model building framework.
It focuses on:
• Model architectures (LLMs, ASR, TTS, multimodal)
• Training pipelines
• NeMo Run + NeMo-based microservices
• Distributed GPU/accelerated workflows
2. NeMo Guardrails and NeMo Curator are NOT part of the NeMo 2.0 training stack.
They live adjacent to NeMo 2.0, serving two different lifecycle phases.
Background: NeMo 1.x modules (ASR collections, VAD, etc.) used pickle because they relied heavily on Python multiprocessing and Python objects.
NeMo 2.0 is moving toward language and framework agnostic formats
Instead of pickle, NeMo 2.0 favors:
• Safetensors (for weights)
• JSON / YAML (for metadata)
• Parquet (for curated datasets)
• Numpy / torch tensors loaded explicitly
• HuggingFace compatible formats
These formats are:
• Safe
• Portable across hardware and OS
• Usable by non Python systems
• Compatible with cloud trust boundaries
NeMo Curator and NeMo Guardrails are designed to avoid pickle entirely
Even though older NeMo components still used pickle internally:
- NeMo Curator does not ingest pickle data
- NeMo Guardrails never used pickle at all
- NeMo 2.0 framework minimizes it or removes it
This aligns with modern security guidance for LLM infrastructure.
Vulnerability details: CVE-2025-33245 NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
Official announcement: Please refer to the link for details –