CVE-2025-54886

CVE-2025-54886 is a high-severity insecure deserialization vulnerability in skops (pip), affecting versions < 0.13.0. It is fixed in 0.13.0.

Summary

The Card class of skops, used for model documentation and sharing, allows arbitrary code execution. When a file other than .zip is provided to the Card class during instantiation, the internally invoked Card.get_model method silently falls back to joblib without warning. Unlike the .skops zip-based format, joblib permits unrestricted code execution, hence bypassing the security measures of skops and enabling the execution of malicious code.

Details

The Card class supports loading the model linked to the card using the get_model method. When a .skops model is provided, it uses the load function from skops, which includes security mechanisms. The Card class also supports consistent management of the trusted list, which can be passed during instance creation. As expected, if a .skops model is provided without a trusted list and an untrusted type is encountered during loading, an error is raised. This behavior is consistent with the security principles of skops.

The problem arises when a file format other than .zip is provided. As shown in the code snippet below, in this case, the joblib library is used to load the model. This happens silently, without any warning or indication that joblib is being used. This is a significant security risk because joblib does not enforce the same security measures as skops, allowing arbitrary code execution.

# from `card/_model_card.py:354-358`
try:
    if zipfile.is_zipfile(model_path):
        model = load(model_path, trusted=trusted)
    else:
        model = joblib.load(model_path)

To increase the concern, get_model is actually called internally by skops during card creation, so the user does not need to call it explicitly, only to create the Card object passing a joblib file.

PoC

Consider the following example:

from skops.card import Card

card = Card("model.skops")

An attacker could share a model.skops file that, despite its name, is not a .zip file. In this case, the joblib.load function is called, allowing arbitrary code execution if the file is actually a pickle-like object. This is difficult for the user to detect, as the check is based on the file’s format, not its extension or name.

This vulnerability exists regardless of the trusted list provided (or omitted) during Card instance creation, and is unaffected by any other parameters. Moreover, it occurs at the time of Card instantiation.

Attack Scenario

An attacker can craft a malicious model file that, when used to instantiate a Card object, enables arbitrary code on the victim’s machine. This requires no user interaction beyond instantiating the Card object (not even explicit loading). Given that skops is often used in collaborative environments and is designed with security in mind, this vulnerability poses a significant threat.

Attachments

The complete PoC is available on GitHub at io-no/CVE-2025-54886.

Impact

Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.

CVE-2025-54886 has a CVSS score of 8.4 (High). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.13.0); upgrading removes the vulnerable code path.

Affected versions

skops (< 0.13.0)

Security releases

skops → 0.13.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade skops to 0.13.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-54886? CVE-2025-54886 is a high-severity insecure deserialization vulnerability in skops (pip), affecting versions < 0.13.0. It is fixed in 0.13.0. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
  2. How severe is CVE-2025-54886? CVE-2025-54886 has a CVSS score of 8.4 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of skops are affected by CVE-2025-54886? skops (pip) versions < 0.13.0 is affected.
  4. Is there a fix for CVE-2025-54886? Yes. CVE-2025-54886 is fixed in 0.13.0. Upgrade to this version or later.
  5. Is CVE-2025-54886 exploitable, and should I be worried? Whether CVE-2025-54886 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-54886 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-54886? Upgrade skops to 0.13.0 or later.

Other vulnerabilities in skops

CVE-2025-54413CVE-2025-54412CVE-2024-37065

Stop the waste.
Protect your environment with Kodem.