8.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54886

GHSA ID

GHSA-378x-6p4f-8jgm

EPSS Score

CWE

CWE-502

Published

8/7/2025

Updated

8/7/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54886

CVE-2025-54886: SKOPS Card.get_model happily allows arbitrary code execution

Summary

When using Card.get_model, skops allows for arbitrary code execution. This is due to the fact that Card.get_model allows both joblib and skops to be used for loading models, and as is well known, joblib allows for arbitrary code execution when loading objects. I do not know if this is intended or not, but I found this really concerning for a library that is founded on security. Even if intended, I kindly ask you to consider the security implications of this, disclose the potential implications through an advisory, and change the behavior of the function in future library versions (see below for possible fixes).

What is the issue?

The Card.get_model function allows loading models using the get_model method. When a .skops model is provided, it uses the load function from skops, which is secure to our knowledge. The Card class also allows consistent management of the trusted list, allowing it to be passed during instance creation. As expected, if a skops model is provided without a trusted list, and an untrusted type is found during loading, it will raise an error. This is perfectly fine and consistent with the security principles of skops.

The problem arises when a file format different from a .zip file is provided. In this case, as shown in the code snippet below, the joblib library is used to load the model. This happens silently, without any warning or indication that the model is being loaded using joblib. This is a significant security risk, as joblib does not enforce the same security measures as skops, allowing for arbitrary code execution

# from `card/_model_card.py:354-358`
try:
    if zipfile.is_zipfile(model_path):
        model = load(model_path, trusted=trusted)
    else:
        model = joblib.load(model_path)

Hence, for example, a simple code like the following will execute arbitrary code:

from skops.card import Card

card = Card("model.skops")
clf  = card.get_model()

In this case, despite the name, the model.skops file is not a .zip file, and thus the joblib.load function is called, allowing for arbitrary code execution. This is also difficult to spot for the user, since the check is transparent and performed on the file's nature, not on the file extension or name.

Note: this happens despite the trusted list being passed during the Card instance creation or any other parameter.

Impact

An attacker can exploit this vulnerability by crafting a malicious model file that, when loaded using Card.get_model, executes arbitrary code on the victim's machine. The attack does not require any special privileges or additional steps from the victim; simply loading the model is sufficient to trigger the execution of the attacker's code. The attack happens silently and at loading time, making it particularly stealthy and difficult to detect. This is particularly concerning if we consider that Card.get_model and skops are often used in collaborative environments and that skops promotes a security-oriented policy.

Thank you for your attention to this matter. I hope this report helps improve the security of the Card.get_model function and the overall security posture of the skops library.

(GitHub Advisory)

8.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54886

GHSA ID

GHSA-378x-6p4f-8jgm

EPSS Score

CWE

CWE-502

Published

8/7/2025

Updated

8/7/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
skops	pip	< 0.13.0	0.13.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the skops library's model loading mechanism. The core of the issue lies in the _load_model function, which is responsible for loading machine learning models. This function had a critical flaw: if the provided model file was not a .skops file (which is a secure zip archive), it would fall back to using joblib.load. The joblib.load function uses Python's pickle module, which is not secure against maliciously crafted files and can be exploited for arbitrary code execution. This is a classic example of CWE-502: Deserialization of Untrusted Data.

The vulnerability is exposed to the user through the Card.get_model method. When a user creates a Card object with a path to a malicious (non-zip) model file and then calls get_model(), the chain of calls Card.get_model() -> Card._model -> _load_model() is executed. This triggers the insecure deserialization with joblib.load, resulting in code execution on the victim's machine.

The patch addresses this by introducing an allow_pickle flag in the Card class, which is False by default. The _load_model function was modified to check this flag before attempting to use joblib.load. If allow_pickle is False (the default), and the file is not a .skops file, the function now raises a RuntimeError instead of insecurely loading it. This change makes the behavior secure by default and requires the user to explicitly opt-in to the potentially dangerous behavior, thus mitigating the risk.

Vulnerable functions

_load_model

skops/card/_model_card.py

The `_load_model` function is vulnerable because it uses `joblib.load` to deserialize model files that are not in the `.skops` (zip) format. The `joblib.load` function is known to be insecure for loading files from untrusted sources, as it can lead to arbitrary code execution. Before the patch, this was the default behavior for any non-zip file, happening silently without any warning to the user.

Card.get_model

skops/card/_model_card.py

This is the public, user-facing method that triggers the vulnerability. It calls the internal `_load_model` function (via the `_model` cached property) to load the model. An attacker can craft a malicious model file, and when a user calls `Card.get_model()` on it, the vulnerable `_load_model` function is executed, leading to arbitrary code execution. The patch mitigates this by requiring the user to explicitly set `allow_pickle=True` on the `Card` object to load non-skops files.

WAF Protection Rules

WAF Rule

## Summ*ry W**n usin* `**r*.**t_mo**l`, `skops` *llows *or *r*itr*ry *o** *x**ution. T*is is *u* to t** ***t t**t `**r*.**t_mo**l` *llows *ot* `jo*li*` *n* `skops` to ** us** *or lo**in* mo**ls, *n* *s is w*ll known, `jo*li*` *llows *or *r*itr*ry *o

Reasoning

T** vuln*r**ility *xists in t** `skops` li*r*ry's mo**l lo**in* m****nism. T** *or* o* t** issu* li*s in t** `_lo**_mo**l` *un*tion, w*i** is r*sponsi*l* *or lo**in* m***in* l**rnin* mo**ls. T*is *un*tion *** * *riti**l *l*w: i* t** provi*** mo**l *i

8.4

Basic Information

Concerned about an active attack path?

CVE-2025-54886: SKOPS Card.get_model happily allows arbitrary code execution

Summary

What is the issue?

Impact

8.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI