CVE-2025-54886 is a high-severity vulnerability affecting the Python library skops, versions prior to 0.13.0. Skops is designed to facilitate sharing and shipping of scikit-learn based machine learning models. The vulnerability arises in the Card.get_model function, which is responsible for loading models serialized in either joblib or skops formats. While skops implements secure loading mechanisms with trusted type validation to prevent arbitrary code execution, the function silently falls back to joblib when loading non-.zip file formats without any warning or validation. Joblib’s deserialization process is inherently insecure as it allows arbitrary code execution during model loading. This fallback behavior effectively bypasses skops’ security controls, enabling an attacker to craft malicious model files that, when loaded, execute arbitrary code on the host system. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data), a common vector for remote code execution attacks. The CVSS v3.1 base score is 8.4, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity, no privileges required, and no user interaction needed. Although no known exploits are currently reported in the wild, the ease of exploitation and severity make this a critical concern for organizations using vulnerable versions of skops for model deployment or sharing. The issue is resolved in skops version 0.13.0, which presumably enforces strict validation and removes the insecure fallback to joblib for non-.zip formats.

For European organizations leveraging machine learning workflows, particularly those using scikit-learn models shared or deployed via the skops library, this vulnerability poses a significant risk. Successful exploitation can lead to arbitrary code execution on systems that load malicious model files, potentially resulting in full system compromise. This can lead to data breaches, unauthorized access to sensitive information, disruption of machine learning services, and lateral movement within corporate networks. Organizations in sectors such as finance, healthcare, automotive, and manufacturing—where machine learning models are increasingly integrated—may face operational disruptions and regulatory compliance issues under GDPR if personal data confidentiality is compromised. The silent fallback to joblib increases the risk of unnoticed exploitation, as users may assume their models are loaded securely. Given the high CVSS score and the lack of required privileges or user interaction, attackers can exploit this vulnerability remotely if they can supply or influence the model files being loaded, making supply chain attacks or insider threats particularly concerning.

European organizations should immediately upgrade skops to version 0.13.0 or later to eliminate the insecure fallback to joblib and benefit from the enforced trusted type validation. Until upgrading, organizations should implement strict validation and verification of all model files before loading, ensuring only trusted and verified sources are used. Employing file integrity checks, digital signatures, or cryptographic hashes for model files can prevent tampering. Additionally, restricting the environment where models are loaded—such as using sandboxing or containerization—can limit the impact of potential code execution. Monitoring and logging model loading activities for anomalies or unexpected file formats can provide early detection of exploitation attempts. Organizations should also review their machine learning supply chains to prevent untrusted model injection and educate developers and data scientists about the risks of deserializing untrusted data. Finally, network segmentation and least privilege principles should be applied to systems running model inference to reduce attack surface and lateral movement potential.