CVE-2025-54412

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-54412

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54412.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-54412

Aliases

GHSA-m7f4-hrc6-fwg3

Published

2025-07-26T04:16:06Z

Modified

2025-07-29T14:50:01.731944Z

Summary

[none]

Details

skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain a inconsistency in the OperatorFuncNode which can be exploited to hide the execution of untrusted operator methods. This can then be used in a code reuse attack to invoke seemingly safe functions and escalate to arbitrary code execution with minimal and misleading trusted types. This is fixed in version 0.12.0.

References

Affected packages

Git / github.com/skops-dev/skops

Affected ranges

Type: GIT
Repo: https://github.com/skops-dev/skops
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0aeca055509dfb48c1506870aabdd9e247adf603

Fixed

ab61439ba35bef6bb24109966e4ed19f08446f82

Affected versions

v0.*

v0.8.0