CVE-2025-49655
📋 TL;DR
This vulnerability allows arbitrary code execution when deserializing malicious Keras files containing a TorchModuleWrapper class, even with safe mode enabled. It affects users of Keras framework versions 3.11.0 through 3.11.2 who load untrusted Keras files. Both local file loading and remote file fetching are vulnerable vectors.
💻 Affected Systems
- Keras
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the affected system, enabling data theft, ransomware deployment, or lateral movement.
Likely Case
Remote code execution leading to data exfiltration, cryptocurrency mining, or botnet enrollment when processing malicious files from untrusted sources.
If Mitigated
Limited impact with proper file validation and network segmentation, potentially only affecting isolated processing environments.
🎯 Exploit Status
Exploitation requires only a malicious Keras file to be loaded. The vulnerability bypasses safe mode protections designed to prevent such attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.11.3
Vendor Advisory: https://github.com/keras-team/keras/pull/21575
Restart Required: No
Instructions:
1. Update Keras using pip: pip install --upgrade keras==3.11.3
2. Verify installation with: python -c "import keras; print(keras.__version__)"
3. Test that safe mode properly blocks malicious files.
🔧 Temporary Workarounds
Disable unsafe deserialization
allImplement custom file validation before loading Keras files to reject suspicious content.
# Python code to validate files before loading
import hashlib
import os
from pathlib import Path
def validate_keras_file(filepath):
# Implement signature checking or known-good hash validation
# Only load files from trusted sources
pass
Sandbox file processing
linuxRun Keras file loading in isolated containers or virtual environments with restricted permissions.
# Example using Docker with minimal permissions
docker run --rm -v $(pwd):/data -u nobody python:3.9 python -c "import keras; keras.models.load_model('/data/model.keras')"
🧯 If You Can't Patch
- Implement strict file origin controls - only load Keras files from trusted, verified sources
- Deploy network segmentation to isolate systems processing Keras files from critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Check Keras version with: python -c "import keras; print(keras.__version__)". If version is 3.11.0, 3.11.1, or 3.11.2, the system is vulnerable.Check Version:
python -c "import keras; print(keras.__version__)"Verify Fix Applied:
After updating, verify version is 3.11.3 or higher and test loading known-safe Keras files works while safe mode blocks malicious patterns.📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution following Keras file loading
- Failed safe mode validation attempts
- Unusual file I/O patterns from Keras processes
Network Indicators:
- Outbound connections from Keras processes to unknown destinations
- Unexpected DNS queries following model loading
SIEM Query:
process_name:"python" AND cmdline:"keras" AND (event_type:"process_execution" OR event_type:"network_connection")