Cyber Resilience

CVE-2025-54886

High

Published: 08 August 2025

Published
08 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0134 80.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54886 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked in the top 19.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

skops is a Python library for sharing scikit-learn models. In versions 0.12.0 and earlier, the Card.get_model function lacks safeguards against arbitrary code execution. It attempts secure loading with trusted-type validation for .skops files but silently falls back to joblib when presented with any other file format, allowing deserialization of untrusted data without warning or restriction.

An attacker with the ability to supply a model file to Card.get_model can achieve remote code execution by providing a joblib-formatted artifact containing malicious payloads. No user privileges or interaction are required, and the CVSS 8.4 rating reflects the resulting high impact on confidentiality, integrity, and availability through execution of attacker-controlled code during the load operation.

The vulnerability is addressed in version 0.13.0. The accompanying GitHub security advisory GHSA-378x-6p4f-8jgm and the referenced commit detail the removal of the unsafe fallback path and the enforcement of skops-format handling.

EPSS remains low and unchanged at 0.0134 with no observed rise after disclosure.

EU & UK References

Vulnerability details

skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops…

more

for model loading. When loading .skops models, it uses skops' secure loading with trusted type validation, raising errors for untrusted types unless explicitly allowed. However, when non-.zip file formats are provided, the function silently falls back to joblib without warning. Unlike skops, joblib allows arbitrary code execution during loading, bypassing security measures and potentially enabling malicious code execution. This issue is fixed in version 0.13.0.

CWE(s)

AI Security AnalysisAI

AI Category
Machine Learning Libraries
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: scikit-learn

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability enables arbitrary code execution via silent fallback to insecure joblib deserialization when loading non-.skops models in the Python skops library, facilitating Python interpreter abuse (T1059.006) and exploitation for client execution (T1203).

CVEs Like This One

CVE-2026-3071Shared CWE-502
CVE-2026-45360Shared CWE-502
CVE-2025-58757Shared CWE-502
CVE-2026-38950Shared CWE-502
CVE-2026-31222Shared CWE-502
CVE-2026-31223Shared CWE-502
CVE-2026-21226Shared CWE-502
CVE-2026-31224Shared CWE-502
CVE-2025-60036Shared CWE-502
CVE-2026-42471Shared CWE-502

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the flaw in skops versions 0.12.0 and below by upgrading to 0.13.0 directly eliminates the unsafe fallback to joblib's arbitrary code execution during model loading.

prevent

Validating model file formats and extensions as .skops prior to calling Card.get_model prevents processing of non-.zip formats that trigger the insecure joblib loader.

prevent

Verifying the integrity of model files with cryptographic hashes or signatures before deserialization detects tampering that could exploit joblib's unsafe loading mechanism.

References