CVE-2025-54886

High

Published: 08 August 2025

Published

08 August 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0042 61.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54886 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked in the top 38.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Python (T1059.006) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Remediating the flaw in skops versions 0.12.0 and below by upgrading to 0.13.0 directly eliminates the unsafe fallback to joblib's arbitrary code execution during model loading.

SI-10 Information Input Validation partial match

prevent

Validating model file formats and extensions as .skops prior to calling Card.get_model prevents processing of non-.zip formats that trigger the insecure joblib loader.

SI-7 Software, Firmware, and Information Integrity partial match

prevent

Verifying the integrity of model files with cryptographic hashes or signatures before deserialization detects tampering that could exploit joblib's unsafe loading mechanism.

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability enables arbitrary code execution via silent fallback to insecure joblib deserialization when loading non-.skops models in the Python skops library, facilitating Python interpreter abuse (T1059.006) and exploitation for client execution (T1203).

NVD Description

skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops…

for model loading. When loading .skops models, it uses skops' secure loading with trusted type validation, raising errors for untrusted types unless explicitly allowed. However, when non-.zip file formats are provided, the function silently falls back to joblib without warning. Unlike skops, joblib allows arbitrary code execution during loading, bypassing security measures and potentially enabling malicious code execution. This issue is fixed in version 0.13.0.

Deeper analysisAI

CVE-2025-54886 is a high-severity vulnerability (CVSS 3.1 score of 8.4) affecting the skops Python library, which facilitates sharing and shipping scikit-learn-based machine learning models, in versions 0.12.0 and earlier. The issue resides in the Card.get_model function, which lacks safeguards against arbitrary code execution. While it securely loads .skops models using skops' trusted type validation, it silently falls back to the joblib loader for non-.zip file formats without warning. Joblib's deserialization permits arbitrary code execution (CWE-502: Deserialization of Untrusted Data), bypassing skops' security controls.

A local attacker with no privileges required can exploit this by providing a malicious model file in a non-.skops format. When a user or application calls Card.get_model on the file, it invokes joblib's unsafe loading mechanism, enabling execution of embedded malicious code. This grants high-impact confidentiality, integrity, and availability compromise with low attack complexity and no user interaction needed, potentially leading to full system compromise on the host loading the model.

The vulnerability is addressed in skops version 0.13.0, as detailed in the project's security advisory (GHSA-378x-6p4f-8jgm) and the fixing commit (29d61ea8a92f2bde6830e8f32cc72a1a87211cda). Security practitioners should advise upgrading to 0.13.0 immediately and validate model file formats before loading to prevent fallback to joblib.

Details

CWE(s): CWE-502

Affected Products

—

inferred from references and description; NVD did not file a CPE for this CVE

AI Security AnalysisAI

AI Category: Machine Learning Libraries
Risk Domain: Supply Chain and Deployment
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: skops is a library for sharing and serializing scikit-learn models, which is a core machine learning library, and the vulnerability affects model loading in ML workflows.

CVEs Like This One

CVE-2026-3071Shared CWE-502

CVE-2025-58757Shared CWE-502

CVE-2026-21226Shared CWE-502

CVE-2025-60036Shared CWE-502

CVE-2025-54539Shared CWE-502

CVE-2025-33214Shared CWE-502

CVE-2025-33252Shared CWE-502

CVE-2026-24765Shared CWE-502

CVE-2025-70560Shared CWE-502

CVE-2025-67729Shared CWE-502

References

https://github.com/skops-dev/skops/commit/29d61ea8a92f2bde6830e8f32cc72a1a87211cda
security-advisories@github.com
https://github.com/skops-dev/skops/security/advisories/GHSA-378x-6p4f-8jgm
security-advisories@github.com