A high-severity vulnerability has been identified in the skops Python library, which is used for sharing machine learning models. An attacker could exploit this vulnerability by creating a malicious model file. If this file is loaded by an application using the affected skops library, the attacker could execute arbitrary code and gain full control of the underlying system, leading to potential data theft, system compromise, and further network intrusion.

The vulnerability exists due to an insecure deserialization process when loading model files with the skops library. An attacker can craft a malicious model file containing embedded code payloads. When a vulnerable application uses the skops library to load this malicious file, the deserialization process improperly executes the embedded payload, resulting in arbitrary code execution with the permissions of the application running the skops library. Exploitation requires an attacker to convince a user or an automated system to load the specially crafted, malicious model file.

This vulnerability is rated as High severity with a CVSS score of 8.4. Successful exploitation could have a severe impact on the business, primarily through Remote Code Execution (RCE). An attacker could compromise critical systems used in MLOps pipelines, data science environments, or production applications. Potential consequences include theft of sensitive intellectual property (e.g., proprietary models, training data), unauthorized access to the organization's internal network, deployment of ransomware, or using the compromised system to launch further attacks. The risk is significant for any organization relying on the skops library to handle models from external or untrusted sources.

Immediate Action: Apply the security updates provided by the vendor to all systems using the skops library immediately. After patching, monitor systems for any signs of attempted exploitation. Review application and system access logs for any unusual activity related to model loading processes that occurred prior to the patch being applied.

Proactive Monitoring: Implement enhanced monitoring on systems running skops. Look for suspicious child processes being spawned by Python applications, especially shells (sh, bash, powershell.exe) or network utilities (curl, wget). Monitor for unexpected outbound network connections from servers that process models, as this could indicate a command-and-control channel. Configure logging to record all model loading events, including the source and hash of the file.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Restrict model loading processes to a sandboxed or containerized environment with minimal privileges and no outbound network access.
• Enforce a strict policy to only load models from trusted, internally-vetted, and signed sources.
• Use Endpoint Detection and Response (EDR) tools to detect and block anomalous process execution patterns on affected hosts.

Public Exploit Available: false

Given the high-severity CVSS score and the risk of remote code execution, we strongly recommend that all affected systems are patched immediately. Organizations should prioritize identifying all instances of the skops library within their environment to ensure complete remediation. Although this CVE is not currently on the CISA KEV list, its critical nature makes it a prime candidate for future inclusion and an attractive target for attackers. Proactive patching and monitoring are essential to prevent potential compromise.