Code Execution Vulnerability in skops Library by Skops-dev
CVE-2025-54412

8.7HIGH

Key Information:

Vendor

Skops-dev

Status
Skops
Vendor
CVE Published:
26 July 2025

What is CVE-2025-54412?

The skops library, utilized for sharing and shipping scikit-learn models, has a vulnerability in versions 0.11.0 and earlier. An inconsistency in the OperatorFuncNode permits malicious actors to hide the execution of untrusted operator methods. This flaw can potentially facilitate code reuse attacks, enabling attackers to invoke seemingly safe functions and escalate to arbitrary code execution through misleading trusted types. The issue is resolved in version 0.12.0, emphasizing the importance of upgrading to safeguard against these risks.

Affected Version(s)

skops < 0.12.0

References

https://github.com/skops-dev/skops/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/skops-dev/skops/commit/0aeca055509dfb4...
x_refsource_MISC
https://github.com/skops-dev/skops/releases/tag/v0.12.0
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-54412 : Code Execution Vulnerability in skops Library by Skops-dev