CVE-2025-54886
📋 TL;DR
CVE-2025-54886 is a deserialization vulnerability in the skops Python library that allows arbitrary code execution when loading models. Attackers can exploit this by providing malicious joblib files that bypass skops' security validation. Users of skops versions 0.12.0 and below who load untrusted model files are affected.
💻 Affected Systems
- skops
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through remote code execution, allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Local privilege escalation or data exfiltration when users load malicious model files from untrusted sources.
If Mitigated
Limited impact if only trusted model files are loaded and proper file validation is implemented.
🎯 Exploit Status
Exploitation requires the attacker to provide a malicious joblib file to a vulnerable Card.get_model call. No authentication bypass is needed beyond file upload/access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.13.0
Vendor Advisory: https://github.com/skops-dev/skops/security/advisories/GHSA-378x-6p4f-8jgm
Restart Required: No
Instructions:
1. Update skops to version 0.13.0 or higher using pip: 'pip install --upgrade skops>=0.13.0' 2. Verify the update with: 'pip show skops' 3. Test model loading functionality after update.
🔧 Temporary Workarounds
Restrict file extensions
allOnly allow loading of .skops or .zip files to prevent fallback to joblib loading.
# In your code, validate file extension before calling Card.get_model()
if not filename.endswith(('.skops', '.zip')):
raise ValueError('Only .skops or .zip files are allowed')
Use explicit loading methods
allUse skops.io.load() directly instead of Card.get_model() to ensure secure loading.
import skops.io
model = skops.io.load('model.skops', trusted=True)
🧯 If You Can't Patch
- Only load model files from trusted sources and verify file integrity before loading.
- Implement strict file validation to reject non-.skops files and monitor for joblib file loading attempts.
🔍 How to Verify
Check if Vulnerable:
Check skops version with: 'python -c "import skops; print(skops.__version__)"' - versions <=0.12.0 are vulnerable.Check Version:
python -c "import skops; print(skops.__version__)"Verify Fix Applied:
After updating, verify version is >=0.13.0 and test loading a non-.zip file - it should now raise a warning or error instead of silently using joblib.📡 Detection & Monitoring
Log Indicators:
- Unexpected joblib module imports during model loading
- Errors or warnings about untrusted file formats in skops logs
- Failed model loading attempts with non-.skops files
Network Indicators:
- Downloads of model files from untrusted sources
- Unusual outbound connections after model loading
SIEM Query:
Process execution events where skops loads model files followed by suspicious child processes or network connections.