CVE-2025-54413
Description
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types. This is fixed in version 12.0.0.
Is your site exposed to CVE-2025-54413?
Run a free security scan — no signup, results in seconds.
Weakness Type (CWE)
References
Other References
Frequently Asked Questions
What is CVE-2025-54413? +
How do I check if I'm vulnerable to CVE-2025-54413? +
Related Vulnerabilities
Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. …
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain …
An attacker can upload an arbitrary file instead of a plant image.
HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's …
Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users …
When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could …