CVE-2025-54886 - Insecure Fallback to joblib Allows Arbitrary Code Execution in skops

[io-no]

Summary

The Card class of skops, used for model documentation and sharing, allows arbitrary code execution. When a file other than .zip is provided to the Card class during instantiation, the internally invoked Card.get_model method silently falls back to joblib without warning. Unlike the .skops zip-based format, joblib permits unrestricted code execution, hence bypassing the security measures of skops and enabling the execution of malicious code.

Details

The Card class supports loading the model linked to the card using the get_model method. When a .skops model is provided, it uses the load function from skops, which includes security mechanisms. The Card class also supports consistent management of the trusted list, which can be passed during instance creation. As expected, if a .skops model is provided without a trusted list and an untrusted type is encountered during loading, an error is raised. This behavior is consistent with the security principles of skops.

The problem arises when a file format other than .zip is provided. As shown in the code snippet below, in this case, the joblib library is used to load the model. This happens silently, without any warning or indication that joblib is being used. This is a significant security risk because joblib does not enforce the same security measures as skops, allowing arbitrary code execution.

# from `card/_model_card.py:354-358`
try:
    if zipfile.is_zipfile(model_path):
        model = load(model_path, trusted=trusted)
    else:
        model = joblib.load(model_path)

To increase the concern, get_model is actually called internally by skops during card creation, so the user does not need to call it explicitly—only to create the Card object passing a joblib file.

Exploit

Consider the following example:

from skops.card import Card

card = Card("model.skops")

An attacker could share a model.skops file that, despite its name, is not a .zip file. In this case, the joblib.load function is called, allowing arbitrary code execution if the file is actually a pickle-like object. This is difficult for the user to detect, as the check is based on the file’s format, not its extension or name.

This vulnerability exists regardless of the trusted list provided (or omitted) during Card instance creation, and is unaffected by any other parameters. Moreover, it occurs at the time of Card instantiation.

Proof of Concept (PoC)

A complete PoC is provided for reference and reproducibility at io-no/CVE-2025-54886.

The folder contains:

• generate_evil_model.py – generates a malicious pickle file named model.skops
• poc.py – demonstrates arbitrary execution at Card instantiation time

Attack Scenario

An attacker can craft a malicious model file that, when used to instantiate a Card object, enables arbitrary code on the victim’s machine. This requires no user interaction beyond instantiating the Card object (not even explicit loading). Given that skops is often used in collaborative environments and is designed with security in mind, this vulnerability poses a significant threat.

Disclosure Timeline

• 23 June 2025 – Private disclosure to the skops team via GitHub private advisory.
• Collaborative work with the skops team, including a PR with a proposed fix.
• 6 August 2025 – skops version 0.13.0 released with the fix ([PR #485](ENH harden Card by adding a flag to allow/disallow insecure pickle loading skops-dev/skops#485)).