CVE-2025-54413: Skops may allow MethodNode to access unexpected object fields through dot notation, leading to arbitrary code execution at load time
(updated )
An inconsistency in MethodNode can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time.
While this issue may seem similar to https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types.
References
- drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing
- github.com/advisories/GHSA-4v6w-xpmh-gfgp
- github.com/skops-dev/skops
- github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603
- github.com/skops-dev/skops/releases/tag/v0.12.0
- github.com/skops-dev/skops/security/advisories/GHSA-4v6w-xpmh-gfgp
- github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3
- nvd.nist.gov/vuln/detail/CVE-2025-54413
Code Behaviors & Features
Detect and mitigate CVE-2025-54413 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →