Keras, Arbitrary File Read & SSRF, CVE-2024-5038 (Critical)

By /

Listen to this Post

The vulnerability in Keras’ `Model.load_model` method, even with safe_mode=True, allows arbitrary file reads and SSRF due to insecure handling of the `StringLookup` layer during the loading of a malicious `.keras` archive. The `StringLookup` layer’s constructor accepts a `vocabulary` parameter, which is intended to define the layer’s vocabulary. However, an attacker can craft a `.keras` file where this parameter specifies a path to a local file or a remote URL. During the model loading process, Keras uses `tf.io.gfile` to read the data from the path specified in the `vocabulary` argument. Since `tf.io.gfile` supports local filesystems, HTTP/HTTPS, and other remote protocols, this mechanism is abused. For a local file path, the contents of any file accessible to the process are read and loaded into the model’s vocabulary, which can then be exfiltrated. For a remote URL, the server makes an outbound HTTP request, leading to SSRF. The core security failure is that the `safe_mode` flag does not correctly restrict this data loading feature, allowing these unintended data access paths.
Platform: Keras
Version: <=2.15.0
Vulnerability: File Read/SSRF
Severity: Critical
date: 2024-12-19

Prediction: Patch by 2025-01-15

What Undercode Say:

Crafting a malicious .keras archive
zip malicious.keras config.json assets/vocab.txt
Config.json contains a crafted StringLookup config
echo '{"class_name": "StringLookup", "config": {"vocabulary": "file:///etc/passwd"}}' > config.json

Loading the malicious model triggers the exploit
from keras.models import load_model
model = load_model('malicious.keras', safe_mode=True)
Exfiltrate stolen data via the model's state
vocab = model.get_layer("string_lookup").get_vocabulary()

How Exploit:

Malicious .keras archive loads.

StringLookup config parsed.

tf.io.gfile reads local/remote path.

File content loaded as vocabulary.

Data accessible via get_vocabulary().

Protection from this CVE

Update Keras version.

Sanitize model inputs.

Network segmentation.

Restrict file permissions.

Impact:

Local file disclosure.

Internal service probing.

Data exfiltration.

Bypassed safe_mode.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top