Listen to this Post
The CVE-2025-XXXX vulnerability in Keras stems from an insecure deserialization flaw within the `TorchModuleWrapper` class. In affected versions (3.11.0 to 3.11.2), the safe mode feature, designed to prevent such attacks, can be bypassed. When a maliciously crafted .keras file is loaded, the deserialization process does not properly restrict the instantiation of this specific class. This allows an attacker to embed and execute arbitrary Python code within the serialized data. The exploit triggers when this manipulated file is loaded by a victim, regardless of whether the load operation is initiated on a local file or a remote file fetched by the application. The underlying issue is that the `TorchModuleWrapper` is not adequately validated or sandboxed during the object reconstruction phase, leading to code execution in the context of the application loading the model.
Platform: Keras
Version: 3.11.0-3.11.2
Vulnerability : Arbitrary Code Execution
Severity: Critical
date: 2025-10-17
Prediction: 2025-10-31
What Undercode Say:
find /path/to/models -name ".keras" -type f
import keras
model = keras.saving.load_model('malicious.keras') Triggers exploit
python -c "import keras; print(keras.<strong>version</strong>)"
How Exploit:
Attacker serializes a malicious payload into a .keras file using a manipulated TorchModuleWrapper. The victim’s application loads this model file using keras.saving.load_model, which deserializes the payload and executes the embedded code.
Protection from this CVE
Upgrade to Keras version 3.11.3 or later. Avoid loading .keras files from untrusted sources. Implement strict input validation and sandboxing for any file loading operations until patched.
Impact:
Arbitrary code execution on the host system loading the model, leading to full compromise of the application environment and underlying server.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
