Insufficient Type Distinction

Overview skops is an A set of tools to push scikit-learn based models to and pull from Hugging Face Hub Affected versions of this package are vulnerable to Insufficient Type Distinction via the MethodNode class in the io/audit.py file, which allows access to attributes of existing objects. An...

CVE-2025-54413

skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at loa...

GHSA-4V6W-XPMH-GFGP Skops may allow MethodNode to access unexpected object fields through dot notation, leading to arbitrary code execution at load time

Summary An inconsistency in MethodNode can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3, it i...

Skops may allow MethodNode to access unexpected object fields through dot notation, leading to arbitrary code execution at load time

Summary An inconsistency in MethodNode can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3, it i...