CVE-2025-54412

Name of the Vulnerable Software and Affected Versions skops versions 0.11.0 and below

Description skops is a Python library used for sharing and shipping scikit-learn based models. An inconsistency in the OperatorFuncNode allows exploitation to hide the execution of untrusted operator methods. This can be leveraged in a code reuse attack to invoke seemingly safe functions and escalate to arbitrary code execution with minimal and misleading trusted types. The vulnerability stems from a discrepancy between what is returned by get untrusted types and checked during loading, and what is actually called during the construction of the OperatorFuncNode. Specifically, the module key is not used in the construction, allowing an attacker to forge a module name that, when combined with the class name, appears harmless but actually executes an operator.xxx method. A proof-of-concept demonstrates the ability to execute arbitrary code by combining OperatorFuncNode with the skops.io.loads function and a hidden model within a zip file.

Recommendations Versions prior to 0.12.0 are vulnerable. Update to version 0.12.0 or later to resolve this issue.