CVE-2025-1550
📋 TL;DR
CVE-2025-1550 is a critical remote code execution vulnerability in Keras where the Model.load_model function can execute arbitrary Python code even with safe_mode=True. Attackers can craft malicious .keras archives with modified config.json files to load and execute arbitrary modules and functions. This affects any system using Keras to load untrusted model files.
💻 Affected Systems
- Keras
📦 What is this software?
Keras by Keras
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code with the privileges of the Keras process, potentially leading to data theft, ransomware deployment, or complete system takeover.
Likely Case
Remote code execution leading to data exfiltration, installation of backdoors, or lateral movement within the network.
If Mitigated
Limited impact if proper input validation and file integrity checks are implemented, restricting execution to isolated environments.
🎯 Exploit Status
Proof-of-concept exploit is publicly available in GitHub references. Attack requires crafting a malicious .keras archive but does not require authentication if file upload is allowed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in Keras version with PR #20751
Vendor Advisory: https://github.com/keras-team/keras/pull/20751
Restart Required: No
Instructions:
1. Update Keras to the latest version containing the fix. 2. Verify the fix by checking the load_model function's security improvements. 3. No restart required as it's a Python library update.
🔧 Temporary Workarounds
Disable loading of .keras files from untrusted sources
allImplement strict input validation to only load .keras files from trusted, verified sources.
Use alternative model formats
allConvert models to safer formats like .h5 or TensorFlow SavedModel that don't use the vulnerable .keras archive format.
🧯 If You Can't Patch
- Implement strict file integrity checks and digital signatures for all .keras files before loading
- Run Keras in isolated containers or sandboxes with minimal privileges to limit potential damage
🔍 How to Verify
Check if Vulnerable:
Check if your Keras version is affected by examining the load_model function's handling of config.json in .keras archives. Test with a safe, crafted .keras file to see if arbitrary code execution is possible.Check Version:
python -c "import keras; print(keras.__version__)"Verify Fix Applied:
After updating, test loading a .keras file with malicious config.json modifications to ensure safe_mode=True properly restricts code execution.📡 Detection & Monitoring
Log Indicators:
- Unexpected Python module imports during model loading
- Suspicious file operations following .keras file uploads
- Errors from load_model with malformed config.json
Network Indicators:
- Unusual outbound connections from systems loading .keras files
- File uploads of .keras archives to web applications
SIEM Query:
source="web_logs" AND (file_extension=".keras" OR file_type="keras") AND status="200"