CVE-2025-54412: 
Python vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-54412) was discovered in skops, affecting versions prior to 0.12.0. The vulnerability involves an inconsistency in the OperatorFuncNode that allows attackers to conceal the execution of untrusted operator methods, potentially leading to arbitrary code execution. The vulnerability was discovered and reported by io-no and was patched in version 0.12.0, released on July 25, 2025 (GitHub Release, GitHub Advisory).

The vulnerability stems from an inconsistency between what is returned by getuntrustedtypes and what is actually executed during the load call in the OperatorFuncNode implementation. The flaw allows attackers to manipulate the module and class keys in the schema.json file to make malicious operations appear benign. For example, an attacker can craft a payload where getuntrustedtypes shows 'sklearn.linearmodel.stochastic_gradient.SGDRegressor.call' while actually executing 'operator.call'. The vulnerability has been assigned a CVSS v4.0 score of 8.7 (High) with the vector string: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary code on the victim's machine by crafting malicious model files that request trusted types different from those actually executed. This is particularly concerning in collaborative environments where skops is used. The attack occurs at load time and can lead to complete system compromise, affecting confidentiality, integrity, and availability of both the vulnerable and subsequent systems (GitHub Advisory).

The vulnerability has been patched in skops version 0.12.0. Users are strongly advised to upgrade to this version or later. The fix involves modifying getuntrustedtypes and load to verify what is actually called during the construction of the OperatorFuncNode, rather than relying solely on the concatenation of module and class keys (GitHub Release, GitHub Advisory).