CVE-2024-55459: Keras RCE Vulnerability

CVE-2024-55459 Overview

CVE-2024-55459 is an arbitrary file write vulnerability affecting Keras version 3.7.0. The vulnerability exists in the get_file function, which can be exploited by attackers to write arbitrary files to a user's machine by tricking them into downloading a crafted tar file. This vulnerability falls under CWE-494 (Download of Code Without Integrity Check), highlighting the lack of proper validation when processing downloaded archives.

Critical Impact

Attackers can leverage this vulnerability to write malicious files anywhere on the user's filesystem, potentially leading to code execution, data corruption, or system compromise through path traversal techniques embedded in malicious tar archives.

Affected Products

• Keras 3.7.0
• Applications using the get_file function to download and extract tar archives
• Machine learning pipelines that automatically download model files or datasets

Discovery Timeline

• January 8, 2025 - CVE-2024-55459 published to NVD
• September 22, 2025 - Last updated in NVD database

Technical Details for CVE-2024-55459

Vulnerability Analysis

This arbitrary file write vulnerability stems from improper handling of tar archives within Keras's get_file function. The function is commonly used by machine learning practitioners to download pre-trained models, datasets, and other resources from remote sources. When processing tar archives, the function fails to properly sanitize file paths within the archive, allowing malicious archives to contain path traversal sequences that write files outside the intended extraction directory.

The attack requires user interaction, as the victim must be convinced to download and extract a crafted tar file using the vulnerable get_file function. Once executed, the malicious archive can write files to arbitrary locations on the filesystem, potentially overwriting critical system files or placing executable code in startup directories.

Root Cause

The root cause of this vulnerability is the absence of proper path validation when extracting files from tar archives. The get_file function does not verify that extracted file paths remain within the intended target directory. This allows crafted tar archives containing entries with path traversal sequences (such as ../../../etc/passwd or absolute paths) to escape the extraction directory and write files anywhere the user has write permissions.

This type of vulnerability, commonly known as a "Zip Slip" or "Tar Slip" attack, occurs when archive extraction routines trust the file paths provided within the archive without sanitization.

Attack Vector

The attack vector is network-based, requiring an attacker to deliver a malicious tar archive to the victim. Attack scenarios include:

The attacker hosts a malicious tar archive on a server and convinces the victim to use the get_file function to download it. This could be achieved through social engineering, typosquatting popular model repositories, or compromising legitimate model hosting services. Once the victim's application calls get_file with the malicious URL, the crafted archive is downloaded and extracted, writing files to attacker-controlled locations on the filesystem.

The malicious tar archive would contain entries with path traversal sequences designed to escape the extraction directory. For example, an entry named ../../../.bashrc would write to the user's home directory, potentially adding malicious commands to their shell configuration that execute on the next login.

Detection Methods for CVE-2024-55459

Indicators of Compromise

• Unexpected files appearing in directories outside of Keras cache directories (typically ~/.keras/)
• Modified system configuration files or startup scripts
• Presence of files with suspicious names in home directories or system paths
• Log entries showing get_file operations fetching resources from untrusted or unusual URLs

Detection Strategies

• Monitor file system activity for writes to sensitive directories during Keras operations
• Implement file integrity monitoring on critical system files and user profile configurations
• Audit Keras get_file calls in application code to ensure only trusted sources are used
• Review network logs for connections to suspicious or unrecognized model hosting services

Monitoring Recommendations

• Enable file system auditing to track file creation events outside expected directories
• Monitor the Keras cache directory (~/.keras/datasets/ and ~/.keras/models/) for unexpected activity
• Implement network monitoring to detect downloads of tar files from untrusted sources
• Set up alerts for modifications to shell configuration files and system startup scripts

How to Mitigate CVE-2024-55459

Immediate Actions Required

• Audit all uses of the get_file function in your codebase to ensure only trusted URLs are used
• Avoid downloading model files or datasets from untrusted or unverified sources
• Consider implementing additional path validation before using get_file with user-controlled URLs
• Monitor for updates to Keras that address this vulnerability

Patch Information

As of the last NVD update, users should monitor the Keras GitHub Repository and Keras Official Website for security patches addressing this vulnerability. The Notion Vulnerability Report provides additional technical details about the vulnerability.

Workarounds

• Restrict get_file usage to only download from trusted, verified sources with integrity checks
• Implement application-level path validation that verifies extracted file paths stay within the target directory
• Use network-level controls to restrict which external hosts your application can download from
• Consider using alternative file download mechanisms that include path sanitization

# Example: Verify Keras version in your environment
pip show keras | grep Version

# Check for uses of get_file in your codebase
grep -r "get_file" --include="*.py" /path/to/your/project

# Restrict file permissions on sensitive directories
chmod 755 ~/.bashrc ~/.profile