skops@0.7.0 vulnerabilities

A set of tools to push scikit-learn based models to and pull from Hugging Face Hub

Direct Vulnerabilities

Known vulnerabilities in the skops package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Deserialization of Untrusted Data

skops is an A set of tools to push scikit-learn based models to and pull from Hugging Face Hub

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. When loading nodes of type OperatorFuncNode, Skops allows a model to call functions from within the operator module, specifying both the function and the arguments being passed to it. This system allows an attacker to craft a specialized payload in the form of a model that allows for arbitrary code execution to occur when a malicious model is loaded and compiled.

How to fix Deserialization of Untrusted Data?

There is no fixed version for skops.

[0,)