CVE-2025-54886 (CNNVD-202508-755)
中文标题:
Skops 代码问题漏洞
英文标题:
skops: Card.get_model does not block arbitrary code execution
漏洞描述
中文描述:
Skops是Skops项目的一个 Python 库,可帮助共享基于 scikit-learn 的模型并将其投入生产。 Skops 0.12.0及之前版本存在代码问题漏洞,该漏洞源于Card.get_model函数未防止任意代码执行,可能导致安全风险。
英文描述:
skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops for model loading. When loading .skops models, it uses skops' secure loading with trusted type validation, raising errors for untrusted types unless explicitly allowed. However, when non-.zip file formats are provided, the function silently falls back to joblib without warning. Unlike skops, joblib allows arbitrary code execution during loading, bypassing security measures and potentially enabling malicious code execution. This issue is fixed in version 0.13.0.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| skops-dev | skops | < 0.13.0 | - | - |
cpe:2.3:a:skops-dev:skops:<_0.13.0:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-54886 |
2025-11-11 15:23:29 | 2025-11-11 07:40:43 |
| NVD | nvd_CVE-2025-54886 |
2025-11-11 15:00:58 | 2025-11-11 07:48:30 |
| CNNVD | cnnvd_CNNVD-202508-755 |
2025-11-11 15:12:53 | 2025-11-11 08:00:09 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 代码问题
- cnnvd_id: 未提取 -> CNNVD-202508-755
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']