CVE-2025-54886 — HIGH (CVSS 8.4) AI Security Vulnerability

Q: Is CVE-2025-54886 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-54886, increasing the risk of exploitation.

Q: How to fix CVE-2025-54886?

1. PATCH: Upgrade skops to 0.13.0 immediately (pip install --upgrade skops). 2. AUDIT: Grep all codebases for Card.get_model and model loading calls using skops < 0.13.0. 3. WORKAROUND (if patching is delayed): Validate file extensions before passing to Card.get_model — reject anything that is not .skops/.zip format. 4. SUPPLY CHAIN: Verify integrity (checksums/signatures) of all model artifacts ingested from external sources. 5. DETECTION: Monitor for unexpected process spawning or network connections from Python/ML pipeline processes during model load operations. 6. ISOLATION: Run model loading in sandboxed environments (containers with no-network, read-only filesystems) to limit blast radius of exploitation.

Q: What systems are affected by CVE-2025-54886?

This vulnerability affects the following AI/ML architecture patterns: MLOps training pipelines, Model registries and artifact stores, CI/CD model validation stages, Data science collaboration environments, Model serving pipelines with dynamic loading.

Q: What is the CVSS score for CVE-2025-54886?

CVE-2025-54886 has a CVSS v3.1 base score of 8.4 (HIGH). The EPSS exploitation probability is 0.42%.

CISO Take

Any ML pipeline using skops < 0.13.0 to load scikit-learn models from external or untrusted sources is silently vulnerable to arbitrary code execution — the secure loader is bypassed without warning when a non-.zip file is presented. Patch to 0.13.0 immediately and audit model ingestion pipelines for non-.skops file formats. Until patched, enforce strict allowlists on model file extensions entering your environment.

Risk Assessment

Effective risk is higher than the local attack vector suggests: 'local' here means the attack executes at model load time within your pipeline, not that an attacker needs shell access first. A malicious model file delivered via model registry, shared storage, or supply chain is sufficient. Low complexity, no privileges, no user interaction — trivial to weaponize once a malicious artifact reaches a loading pipeline. EPSS at 0.336% indicates no known active exploitation yet, but the technique (malicious joblib pickle) is well-understood by threat actors. Exposure is high in any org using skops for model sharing workflows.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
skops	pip	< 0.13.0	`0.13.0`
668 dependents 100% patched ~26d to patch Full package profile →

Do you use skops? You're affected.

Severity & Risk

CVSS 3.1

8.4 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 62% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade skops to 0.13.0 immediately (pip install --upgrade skops).
AUDIT

Grep all codebases for Card.get_model and model loading calls using skops < 0.13.0.
WORKAROUND (if patching is delayed): Validate file extensions before passing to Card.get_model — reject anything that is not .skops/.zip format.
SUPPLY CHAIN

Verify integrity (checksums/signatures) of all model artifacts ingested from external sources.
DETECTION

Monitor for unexpected process spawning or network connections from Python/ML pipeline processes during model load operations.
ISOLATION

Run model loading in sandboxed environments (containers with no-network, read-only filesystems) to limit blast radius of exploitation.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Model AML.T0002.001 - Models AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system lifecycle — Acquisition and supply chain

NIST AI RMF

GOVERN 6.1 - Policies for third-party AI risks MANAGE 2.4 - Mechanisms for discovered risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2025-54886?

Any ML pipeline using skops < 0.13.0 to load scikit-learn models from external or untrusted sources is silently vulnerable to arbitrary code execution — the secure loader is bypassed without warning when a non-.zip file is presented. Patch to 0.13.0 immediately and audit model ingestion pipelines for non-.skops file formats. Until patched, enforce strict allowlists on model file extensions entering your environment.

Is CVE-2025-54886 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-54886, increasing the risk of exploitation.

How to fix CVE-2025-54886?

1. PATCH: Upgrade skops to 0.13.0 immediately (pip install --upgrade skops). 2. AUDIT: Grep all codebases for Card.get_model and model loading calls using skops < 0.13.0. 3. WORKAROUND (if patching is delayed): Validate file extensions before passing to Card.get_model — reject anything that is not .skops/.zip format. 4. SUPPLY CHAIN: Verify integrity (checksums/signatures) of all model artifacts ingested from external sources. 5. DETECTION: Monitor for unexpected process spawning or network connections from Python/ML pipeline processes during model load operations. 6. ISOLATION: Run model loading in sandboxed environments (containers with no-network, read-only filesystems) to limit blast radius of exploitation.

What systems are affected by CVE-2025-54886?

This vulnerability affects the following AI/ML architecture patterns: MLOps training pipelines, Model registries and artifact stores, CI/CD model validation stages, Data science collaboration environments, Model serving pipelines with dynamic loading.

What is the CVSS score for CVE-2025-54886?

CVE-2025-54886 has a CVSS v3.1 base score of 8.4 (HIGH). The EPSS exploitation probability is 0.42%.

Technical Details

NVD Description

skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops for model loading. When loading .skops models, it uses skops' secure loading with trusted type validation, raising errors for untrusted types unless explicitly allowed. However, when non-.zip file formats are provided, the function silently falls back to joblib without warning. Unlike skops, joblib allows arbitrary code execution during loading, bypassing security measures and potentially enabling malicious code execution. This issue is fixed in version 0.13.0.

Exploitation Scenario

Adversary crafts a malicious scikit-learn model file using joblib with embedded pickle payload (e.g., reverse shell, credential harvester). File is named model.pkl or model.joblib — intentionally not a .zip format. Adversary publishes this to a public model repository (Hugging Face Hub, GitHub, S3 bucket) or injects it into an internal model registry via compromised credentials or a misconfigured upload endpoint. A data scientist or automated pipeline calls Card.get_model on the malicious artifact. skops < 0.13.0 silently invokes joblib.load() without warning, triggering pickle deserialization and executing the adversary's payload with full permissions of the pipeline process — typically a service account with access to training data, secrets, and compute infrastructure.