CVE-2025-54413 is a high-severity vulnerability affecting the Python library skops, versions 0.11.0 and below. Skops is used to share and ship scikit-learn based machine learning models. The vulnerability arises from an inconsistency in the MethodNode component of the library, which improperly distinguishes types. This flaw allows an attacker to exploit dot notation to access unintended object fields during model loading. By leveraging this, an attacker can achieve arbitrary code execution at load time, potentially running malicious code within the context of the application using skops. This vulnerability is more severe than a superficially similar prior issue (GHSA-m7f4-hrc6-fwg3) because it requires fewer assumptions about trusted types, broadening the attack surface. The vulnerability is addressed in skops version 12.0.0, which corrects the type distinction logic to prevent unauthorized field access. The CVSS 4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity but requiring user interaction and local attack vector. No known exploits are currently reported in the wild, but the potential for arbitrary code execution makes this a critical concern for environments that load untrusted or user-supplied models using vulnerable skops versions.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on machine learning workflows involving scikit-learn models and using skops for model sharing or deployment. Arbitrary code execution at load time can lead to full system compromise, data theft, or disruption of critical services. Organizations in sectors such as finance, healthcare, manufacturing, and research that utilize machine learning models for decision-making or automation are particularly at risk. The vulnerability could be exploited to inject malicious payloads into model files, which when loaded, execute harmful code. This undermines trust in machine learning pipelines and can lead to intellectual property theft, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and operational downtime. Given the increasing adoption of AI/ML technologies across Europe, the threat surface is expanding, making timely patching essential to prevent exploitation.

European organizations should immediately upgrade skops to version 12.0.0 or later to remediate this vulnerability. Until upgrading is possible, organizations should implement strict validation and sanitization of all model files before loading, including verifying the source and integrity of models. Employing runtime application security controls such as sandboxing or containerization can limit the impact of potential code execution. Monitoring and logging model loading activities can help detect anomalous behavior indicative of exploitation attempts. Additionally, organizations should review their machine learning supply chain security practices, ensuring that only trusted models are used and that model provenance is verified. Security teams should also educate developers and data scientists about the risks of loading untrusted models and enforce policies restricting model sources. Finally, integrating vulnerability scanning for dependencies like skops into CI/CD pipelines can prevent vulnerable versions from being deployed.