CVE-2025-54413 Information

Jul 27, 2025 cve

Description

skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to GHSA-m7f4-hrc6-fwg3 it is actually more severe as it relies on fewer assumptions about trusted types. This is fixed in version 12.0.0.

Reference

https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603 https://github.com/skops-dev/skops/releases/tag/v0.12.0 https://github.com/skops-dev/skops/security/advisories/GHSA-4v6w-xpmh-gfgp https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3

CNNVD-202507-3366 (Published: 2025-07-26)

Share on:

CVE-2025-54413 Information

Description

Reference

Related CNNVD