Insecure Deserialization with Scikit Joblib

Description

The use of `joblib.load()` can lead to arbitrary code execution due to its reliance on pickle. Consider using `skops` instead to prevent deserialization of untrusted data.

Examples

Insecure Code

joblib.load('model.pkl')

Secure Code

skops.load('model.pkl')

Remediation

Replace `joblib.load()` with a secure alternative, such as `skops`.

Rule Details

Field	Value
ID	CODE-0462
Category	Deserialization
Severity	CRITICAL
CWE	CWE-502
Confidence	MEDIUM
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	pickle, deserialization
OWASP	N/A

References

• https://scikit-learn.org/stable/model_persistence.html

---