Keras, Deserialization of Untrusted Data, CVE-2025-XXXXX (Critical)

Listen to this Post

The CVE-2025-XXXXX vulnerability in Keras stems from an insecure deserialization process within the `Model.load_model` method. A malicious actor can create a specially crafted `.keras` archive containing a `config.json` file. This file exploits the method’s loading order to first call keras.config.enable_unsafe_deserialization(), which programmatically disables the intended `safe_mode=True` security control. Once safe mode is disabled, the loader processes subsequent layers in the archive without restriction. An attacker can then include a Lambda layer containing serialized (pickled) arbitrary Python code. During the model loading procedure, this malicious payload is unpickled and executed, leading to a complete compromise of the system and allowing for arbitrary code execution on the target machine.
Platform: Keras
Version: <=2.17.0
Vulnerability: Arbitrary Code Execution
Severity: Critical

date: 2025-09-19

Prediction: Patch by 2025-10-10

What Undercode Say:

python3 -c "import keras; print(keras.<strong>version</strong>)"
Proof-of-Concept config.json snippet
{"config": {"name": "malicious_layer", "config": {"function": "keras.config.enable_unsafe_deserialization"}}}

How Exploit:

Craft malicious .keras archive.

Trick user into loading it.

Bypass safe_mode via config.

Execute pickled code.

Protection from this CVE

Update Keras version.

Avoid untrusted models.

Validate archive contents.

Impact:

Remote Code Execution

System Compromise

Complete Loss of Integrity

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top