CVE-2025-54412 — HIGH AI Security Vulnerability

Q: Is CVE-2025-54412 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-54412, increasing the risk of exploitation.

Q: How to fix CVE-2025-54412?

Update to patched version: skops 0.12.0.

Q: What systems are affected by CVE-2025-54412?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, model registries, MLOps CI/CD pipelines.

Q: What is the CVSS score for CVE-2025-54412?

No CVSS score has been assigned yet.

CISO Take

Any team loading scikit-learn models from untrusted or third-party sources via skops is exposed to arbitrary code execution through a crafted model file. The attack specifically undermines skops' own trusted_types security mechanism via code reuse, making it harder to catch with static analysis. Upgrade to skops 0.12.0 immediately and restrict model loading to internally-signed artifacts.

Risk Assessment

High risk for ML pipelines that accept skops-formatted models from external sources—model registries, Hugging Face Hub, or cross-team sharing workflows. The vulnerability is particularly impactful because it bypasses the primary security control skops introduced to avoid pickle-style deserialization attacks. EPSS is currently minimal (0.00012), suggesting no active exploitation, but PoC context exists in the published advisory and the technical barrier is moderate for anyone familiar with skops internals.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
skops	pip	< 0.12.0	`0.12.0`
668 dependents 100% patched ~26d to patch Full package profile →

Do you use skops? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

Patch available

Update skops to version 0.12.0

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.1.3 - AI supply chain management

NIST AI RMF

GOVERN 1.7 - Processes for AI supply chain risk management MANAGE 2.2 - Mechanisms to sustain and maintain AI risk treatments

Frequently Asked Questions

What is CVE-2025-54412?

Any team loading scikit-learn models from untrusted or third-party sources via skops is exposed to arbitrary code execution through a crafted model file. The attack specifically undermines skops' own trusted_types security mechanism via code reuse, making it harder to catch with static analysis. Upgrade to skops 0.12.0 immediately and restrict model loading to internally-signed artifacts.

Is CVE-2025-54412 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-54412, increasing the risk of exploitation.

How to fix CVE-2025-54412?

Update to patched version: skops 0.12.0.

What systems are affected by CVE-2025-54412?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, model registries, MLOps CI/CD pipelines.

What is the CVSS score for CVE-2025-54412?

No CVSS score has been assigned yet.

Technical Details

NVD Description

skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain a inconsistency in the OperatorFuncNode which can be exploited to hide the execution of untrusted operator methods. This can then be used in a code reuse attack to invoke seemingly safe functions and escalate to arbitrary code execution with minimal and misleading trusted types. This is fixed in version 0.12.0.

Exploitation Scenario

An adversary crafts a malicious .skops model file exploiting the OperatorFuncNode inconsistency to chain 'trusted' operator calls in a code reuse sequence that invokes untrusted methods. The file is published to a shared model hub, distributed via a data science collaboration platform, or submitted as a model contribution in an open ML project. When a data scientist or automated pipeline calls skops.io.load(malicious_model.skops, trusted_types=[...]), the hidden operator execution fires under the appearance of safe, trusted operations. In an MLOps context, this achieves RCE on training infrastructure, can exfiltrate cloud credentials from instance metadata, or pivot to connected data stores and pipelines.