CVE-2025-54886: skops joblib fallback enables RCE

Q: Is CVE-2025-54886 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-54886, increasing the risk of exploitation.

Q: How to fix CVE-2025-54886?

1. PATCH: Upgrade skops to 0.13.0 immediately (pip install --upgrade skops). 2. AUDIT: Grep all codebases for Card.get_model and model loading calls using skops < 0.13.0. 3. WORKAROUND (if patching is delayed): Validate file extensions before passing to Card.get_model — reject anything that is not .skops/.zip format. 4. SUPPLY CHAIN: Verify integrity (checksums/signatures) of all model artifacts ingested from external sources. 5. DETECTION: Monitor for unexpected process spawning or network connections from Python/ML pipeline processes during model load operations. 6. ISOLATION: Run model loading in sandboxed environments (containers with no-network, read-only filesystems) to limit blast radius of exploitation.

Q: What systems are affected by CVE-2025-54886?

This vulnerability affects the following AI/ML architecture patterns: MLOps training pipelines, Model registries and artifact stores, CI/CD model validation stages, Data science collaboration environments, Model serving pipelines with dynamic loading.

Q: What is the CVSS score for CVE-2025-54886?

CVE-2025-54886 has a CVSS v3.1 base score of 8.4 (HIGH). The EPSS exploitation probability is 0.20%.

CISO Take

Any ML pipeline using skops < 0.13.0 to load scikit-learn models from external or untrusted sources is silently vulnerable to arbitrary code execution — the secure loader is bypassed without warning when a non-.zip file is presented. Patch to 0.13.0 immediately and audit model ingestion pipelines for non-.skops file formats. Until patched, enforce strict allowlists on model file extensions entering your environment.

What is the risk?

Effective risk is higher than the local attack vector suggests: 'local' here means the attack executes at model load time within your pipeline, not that an attacker needs shell access first. A malicious model file delivered via model registry, shared storage, or supply chain is sufficient. Low complexity, no privileges, no user interaction — trivial to weaponize once a malicious artifact reaches a loading pipeline. EPSS at 0.336% indicates no known active exploitation yet, but the technique (malicious joblib pickle) is well-understood by threat actors. Exposure is high in any org using skops for model sharing workflows.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
skops	pip	< 0.13.0	`0.13.0`
711 dependents 100% patched ~26d to patch Full package profile →

Do you use skops? You're affected.

How severe is it?

CVSS 3.1

8.4 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade skops to 0.13.0 immediately (pip install --upgrade skops).
AUDIT

Grep all codebases for Card.get_model and model loading calls using skops < 0.13.0.
WORKAROUND (if patching is delayed): Validate file extensions before passing to Card.get_model — reject anything that is not .skops/.zip format.
SUPPLY CHAIN

Verify integrity (checksums/signatures) of all model artifacts ingested from external sources.
DETECTION

Monitor for unexpected process spawning or network connections from Python/ML pipeline processes during model load operations.
ISOLATION

Run model loading in sandboxed environments (containers with no-network, read-only filesystems) to limit blast radius of exploitation.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0002.001 - Models AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system lifecycle — Acquisition and supply chain

NIST AI RMF

GOVERN 6.1 - Policies for third-party AI risks MANAGE 2.4 - Mechanisms for discovered risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2025-54886?

Any ML pipeline using skops < 0.13.0 to load scikit-learn models from external or untrusted sources is silently vulnerable to arbitrary code execution — the secure loader is bypassed without warning when a non-.zip file is presented. Patch to 0.13.0 immediately and audit model ingestion pipelines for non-.skops file formats. Until patched, enforce strict allowlists on model file extensions entering your environment.

Is CVE-2025-54886 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-54886, increasing the risk of exploitation.

How to fix CVE-2025-54886?

1. PATCH: Upgrade skops to 0.13.0 immediately (pip install --upgrade skops). 2. AUDIT: Grep all codebases for Card.get_model and model loading calls using skops < 0.13.0. 3. WORKAROUND (if patching is delayed): Validate file extensions before passing to Card.get_model — reject anything that is not .skops/.zip format. 4. SUPPLY CHAIN: Verify integrity (checksums/signatures) of all model artifacts ingested from external sources. 5. DETECTION: Monitor for unexpected process spawning or network connections from Python/ML pipeline processes during model load operations. 6. ISOLATION: Run model loading in sandboxed environments (containers with no-network, read-only filesystems) to limit blast radius of exploitation.

What systems are affected by CVE-2025-54886?

This vulnerability affects the following AI/ML architecture patterns: MLOps training pipelines, Model registries and artifact stores, CI/CD model validation stages, Data science collaboration environments, Model serving pipelines with dynamic loading.

What is the CVSS score for CVE-2025-54886?

CVE-2025-54886 has a CVSS v3.1 base score of 8.4 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

MLOps training pipelinesModel registries and artifact storesCI/CD model validation stagesData science collaboration environmentsModel serving pipelines with dynamic loading

MITRE ATLAS Techniques

AML.T0002.001 Models

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9

ISO 42001: 6.1.2, 8.4

NIST AI RMF: GOVERN 6.1, MANAGE 2.4

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops for model loading. When loading .skops models, it uses skops' secure loading with trusted type validation, raising errors for untrusted types unless explicitly allowed. However, when non-.zip file formats are provided, the function silently falls back to joblib without warning. Unlike skops, joblib allows arbitrary code execution during loading, bypassing security measures and potentially enabling malicious code execution. This issue is fixed in version 0.13.0.

Exploitation Scenario

Adversary crafts a malicious scikit-learn model file using joblib with embedded pickle payload (e.g., reverse shell, credential harvester). File is named model.pkl or model.joblib — intentionally not a .zip format. Adversary publishes this to a public model repository (Hugging Face Hub, GitHub, S3 bucket) or injects it into an internal model registry via compromised credentials or a misconfigured upload endpoint. A data scientist or automated pipeline calls Card.get_model on the malicious artifact. skops < 0.13.0 silently invokes joblib.load() without warning, triggering pickle deserialization and executing the adversary's payload with full permissions of the pipeline process — typically a service account with access to training data, secrets, and compute infrastructure.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.