CVE-2025-54886
Published: 08 August 2025
Summary
CVE-2025-54886 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked in the top 19.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
skops is a Python library for sharing scikit-learn models. In versions 0.12.0 and earlier, the Card.get_model function lacks safeguards against arbitrary code execution. It attempts secure loading with trusted-type validation for .skops files but silently falls back to joblib when presented with any other file format, allowing deserialization of untrusted data without warning or restriction.
An attacker with the ability to supply a model file to Card.get_model can achieve remote code execution by providing a joblib-formatted artifact containing malicious payloads. No user privileges or interaction are required, and the CVSS 8.4 rating reflects the resulting high impact on confidentiality, integrity, and availability through execution of attacker-controlled code during the load operation.
The vulnerability is addressed in version 0.13.0. The accompanying GitHub security advisory GHSA-378x-6p4f-8jgm and the referenced commit detail the removal of the unsafe fallback path and the enforcement of skops-format handling.
EPSS remains low and unchanged at 0.0134 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23967
Vulnerability details
skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops…
more
for model loading. When loading .skops models, it uses skops' secure loading with trusted type validation, raising errors for untrusted types unless explicitly allowed. However, when non-.zip file formats are provided, the function silently falls back to joblib without warning. Unlike skops, joblib allows arbitrary code execution during loading, bypassing security measures and potentially enabling malicious code execution. This issue is fixed in version 0.13.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: scikit-learn
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary code execution via silent fallback to insecure joblib deserialization when loading non-.skops models in the Python skops library, facilitating Python interpreter abuse (T1059.006) and exploitation for client execution (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the flaw in skops versions 0.12.0 and below by upgrading to 0.13.0 directly eliminates the unsafe fallback to joblib's arbitrary code execution during model loading.
Validating model file formats and extensions as .skops prior to calling Card.get_model prevents processing of non-.zip formats that trigger the insecure joblib loader.
Verifying the integrity of model files with cryptographic hashes or signatures before deserialization detects tampering that could exploit joblib's unsafe loading mechanism.