CVE-2025-54886: 
Python vulnerability analysis and mitigation

CVE-2025-54886 affects skops, a Python library for sharing and shipping scikit-learn based models. The vulnerability was discovered in versions 0.12.0 and below, where the Card.get_model function lacks proper security controls for preventing arbitrary code execution. The issue was disclosed on August 7, 2025, and has been fixed in version 0.13.0 (GitHub Advisory, NVD).

The vulnerability stems from the Card.get_model function's handling of model loading. While the function properly implements secure loading with trusted type validation for .skops models, it silently falls back to using joblib for non-zip file formats without any warning. Unlike skops' secure implementation, joblib allows arbitrary code execution during loading, effectively bypassing the intended security measures. The vulnerability has been assigned a CVSS v3.1 base score of 8.4 (High) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but no privileges or user interaction needed for exploitation (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary code on the victim's machine by crafting a malicious model file. When such a file is loaded using Card.get_model, the code executes silently at loading time, making it particularly stealthy. This is especially concerning in collaborative environments where skops is used, as it undermines the library's security-oriented policy (GitHub Advisory).

The vulnerability has been fixed in version 0.13.0 by introducing a new parameter 'allowpickle' in the Card.getmodel function. Users should upgrade to this version or later. The fix requires explicit acknowledgment of the security implications when loading non-skops model files by setting allow_pickle=True. If using an older version, users should ensure they only load trusted model files and avoid loading models from untrusted sources (GitHub Commit).