CVE-2025-54412: skops OperatorFuncNode type confusion

Q: Is CVE-2025-54412 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-54412, increasing the risk of exploitation.

Q: How to fix CVE-2025-54412?

Update to patched version: skops 0.12.0.

Q: What systems are affected by CVE-2025-54412?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, model registries, MLOps CI/CD pipelines.

Q: What is the CVSS score for CVE-2025-54412?

No CVSS score has been assigned yet.

CISO Take

Any team loading scikit-learn models from untrusted or third-party sources via skops is exposed to arbitrary code execution through a crafted model file. The attack specifically undermines skops' own trusted_types security mechanism via code reuse, making it harder to catch with static analysis. Upgrade to skops 0.12.0 immediately and restrict model loading to internally-signed artifacts.

What is the risk?

High risk for ML pipelines that accept skops-formatted models from external sources—model registries, Hugging Face Hub, or cross-team sharing workflows. The vulnerability is particularly impactful because it bypasses the primary security control skops introduced to avoid pickle-style deserialization attacks. EPSS is currently minimal (0.00012), suggesting no active exploitation, but PoC context exists in the published advisory and the technical barrier is moderate for anyone familiar with skops internals.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
skops	pip	< 0.12.0	`0.12.0`
711 dependents 100% patched ~26d to patch Full package profile →

Do you use skops? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 3% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What should I do?

Patch available

Update skops to version 0.12.0

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.1.3 - AI supply chain management

NIST AI RMF

GOVERN 1.7 - Processes for AI supply chain risk management MANAGE 2.2 - Mechanisms to sustain and maintain AI risk treatments

Frequently Asked Questions

What is CVE-2025-54412?

Any team loading scikit-learn models from untrusted or third-party sources via skops is exposed to arbitrary code execution through a crafted model file. The attack specifically undermines skops' own trusted_types security mechanism via code reuse, making it harder to catch with static analysis. Upgrade to skops 0.12.0 immediately and restrict model loading to internally-signed artifacts.

Is CVE-2025-54412 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-54412, increasing the risk of exploitation.

How to fix CVE-2025-54412?

Update to patched version: skops 0.12.0.

What systems are affected by CVE-2025-54412?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, model registries, MLOps CI/CD pipelines.

What is the CVSS score for CVE-2025-54412?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesmodel registriesMLOps CI/CD pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.1.3

NIST AI RMF: GOVERN 1.7, MANAGE 2.2

What are the technical details?

Original Advisory

skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain a inconsistency in the OperatorFuncNode which can be exploited to hide the execution of untrusted operator methods. This can then be used in a code reuse attack to invoke seemingly safe functions and escalate to arbitrary code execution with minimal and misleading trusted types. This is fixed in version 0.12.0.

Exploitation Scenario

An adversary crafts a malicious .skops model file exploiting the OperatorFuncNode inconsistency to chain 'trusted' operator calls in a code reuse sequence that invokes untrusted methods. The file is published to a shared model hub, distributed via a data science collaboration platform, or submitted as a model contribution in an open ML project. When a data scientist or automated pipeline calls skops.io.load(malicious_model.skops, trusted_types=[...]), the hidden operator execution fires under the appearance of safe, trusted operations. In an MLOps context, this achieves RCE on training infrastructure, can exfiltrate cloud credentials from instance metadata, or pivot to connected data stores and pipelines.

Weaknesses (CWE)

CWE-351 Insufficient Type Distinction Primary CWE-351 Insufficient Type Distinction

CWE-351 — Insufficient Type Distinction: The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.

Source: MITRE CWE corpus.