CVE-2025-1550: Keras Model RCE Vulnerability

CVE-2025-1550 Overview

CVE-2025-1550 is an arbitrary code execution vulnerability in the Keras deep learning library's Model.load_model function. The vulnerability allows attackers to execute arbitrary code even when safe_mode=True is explicitly set, bypassing the intended security protections. By crafting a malicious .keras archive with an altered config.json file, an attacker can specify arbitrary Python modules and functions along with their arguments to be loaded and executed during the model loading process.

Critical Impact
Attackers can achieve arbitrary code execution on systems that load untrusted Keras model files, potentially leading to complete system compromise, data exfiltration, or lateral movement within machine learning infrastructure.

Affected Products

Keras (all versions prior to the patch)
Applications using keras.Model.load_model() with untrusted model files
Machine learning pipelines that process external .keras archives

Discovery Timeline

2025-03-11 - CVE-2025-1550 published to NVD
2025-07-31 - Last updated in NVD database

Technical Details for CVE-2025-1550

Vulnerability Analysis

This vulnerability is classified as CWE-94 (Improper Control of Generation of Code - Code Injection). The flaw exists in how Keras processes the config.json file within .keras archive files during model loading operations.

The Keras library provides a safe_mode parameter intended to prevent arbitrary code execution when loading model files from untrusted sources. However, the implementation fails to adequately sanitize the configuration data, allowing attackers to bypass this protection entirely. When a model is loaded, the configuration file is parsed and its contents are used to instantiate Python objects, including specifying which modules and functions to import and execute.

The vulnerability requires local access to place a malicious model file where it will be loaded, and some user interaction is typically needed to trigger the model loading operation. However, in automated ML pipelines that process uploaded model files, this could be exploited without direct user intervention.

Root Cause

The root cause stems from insufficient validation of the config.json contents within .keras archives. The model loading mechanism allows specification of arbitrary Python modules and functions in the configuration, which are then dynamically imported and executed. The safe_mode=True parameter was intended to restrict this behavior but fails to properly block all malicious configurations.

The deserialization process trusts the configuration data to specify legitimate Keras model components, but attackers can manipulate this to reference arbitrary Python code paths, effectively turning model loading into a code execution primitive.

Attack Vector

The attack requires local access (AV:L) with low attack complexity. An attacker must:

Create a valid .keras archive structure
Modify the config.json file to include references to arbitrary Python modules and functions
Specify malicious arguments that will be passed to the imported functions
Deliver the malicious archive to a target system where it will be loaded

When a victim or automated system calls Model.load_model() on the malicious archive, the specified Python code executes regardless of the safe_mode setting. This could occur in scenarios such as:

Data scientists loading models shared by collaborators
ML platforms processing user-uploaded model files
Automated training pipelines loading checkpoint files

The attack exploits the trust relationship between the Keras library and its model file format, bypassing the security controls that users expect safe_mode=True to provide.

Detection Methods for CVE-2025-1550

Indicators of Compromise

Unexpected Python process execution when loading .keras model files
Suspicious entries in config.json files within .keras archives referencing non-Keras Python modules
Network connections or file system modifications initiated during model loading operations
Unusual import statements in Python process memory during Keras operations

Detection Strategies

Monitor for .keras archive files containing config.json entries that reference modules outside the expected Keras namespace
Implement file integrity monitoring on model storage directories to detect unauthorized modifications
Use application-level logging to track all Model.load_model() calls and their source file paths
Deploy behavioral analysis to identify anomalous activity during ML model loading operations

Monitoring Recommendations

Enable verbose logging for Keras operations in production ML pipelines
Implement sandbox execution for loading untrusted model files
Monitor for unusual Python imports or subprocess executions correlated with model loading events
Establish baseline behavior for ML infrastructure and alert on deviations

How to Mitigate CVE-2025-1550

Immediate Actions Required

Update Keras to the patched version that addresses this vulnerability
Audit all sources of .keras model files and establish trusted provenance
Avoid loading model files from untrusted or unverified sources
Implement input validation and sandboxing for ML model loading operations
Review any model files received from external parties for suspicious configuration entries

Patch Information

The Keras development team has addressed this vulnerability through Pull Request #20751. Organizations should update their Keras installations to the patched version as soon as possible.

For detailed technical analysis of the vulnerability, refer to the Tower of Hanoi CVE Writeup.

Workarounds

Only load .keras model files from trusted, verified sources until patching is complete
Manually inspect the config.json file within any .keras archive before loading, checking for references to unexpected Python modules
Run model loading operations in isolated container environments with minimal privileges
Implement network isolation for systems that process external model files to limit the impact of potential exploitation

bash

# Inspect a .keras archive before loading
# Extract and examine the config.json for suspicious module references
unzip -p model.keras config.json | python -m json.tool

# Look for any module references that are not from keras, tensorflow, or expected ML libraries
# Suspicious entries may include references to os, subprocess, sys, or other dangerous modules

CVE-2025-1550 Overview

Critical Impact
Attackers can achieve arbitrary code execution on systems that load untrusted Keras model files, potentially leading to complete system compromise, data exfiltration, or lateral movement within machine learning infrastructure.

Affected Products

Keras (all versions prior to the patch)
Applications using keras.Model.load_model() with untrusted model files
Machine learning pipelines that process external .keras archives

Discovery Timeline

2025-03-11 - CVE-2025-1550 published to NVD
2025-07-31 - Last updated in NVD database

Technical Details for CVE-2025-1550

Vulnerability Analysis

Root Cause

Attack Vector

The attack requires local access (AV:L) with low attack complexity. An attacker must:

Create a valid .keras archive structure
Modify the config.json file to include references to arbitrary Python modules and functions
Specify malicious arguments that will be passed to the imported functions
Deliver the malicious archive to a target system where it will be loaded

When a victim or automated system calls Model.load_model() on the malicious archive, the specified Python code executes regardless of the safe_mode setting. This could occur in scenarios such as:

Data scientists loading models shared by collaborators
ML platforms processing user-uploaded model files
Automated training pipelines loading checkpoint files

The attack exploits the trust relationship between the Keras library and its model file format, bypassing the security controls that users expect safe_mode=True to provide.

Detection Methods for CVE-2025-1550

Indicators of Compromise

Unexpected Python process execution when loading .keras model files
Suspicious entries in config.json files within .keras archives referencing non-Keras Python modules
Network connections or file system modifications initiated during model loading operations
Unusual import statements in Python process memory during Keras operations

Detection Strategies

Monitor for .keras archive files containing config.json entries that reference modules outside the expected Keras namespace
Implement file integrity monitoring on model storage directories to detect unauthorized modifications
Use application-level logging to track all Model.load_model() calls and their source file paths
Deploy behavioral analysis to identify anomalous activity during ML model loading operations

Monitoring Recommendations

Enable verbose logging for Keras operations in production ML pipelines
Implement sandbox execution for loading untrusted model files
Monitor for unusual Python imports or subprocess executions correlated with model loading events
Establish baseline behavior for ML infrastructure and alert on deviations

How to Mitigate CVE-2025-1550

Immediate Actions Required

Update Keras to the patched version that addresses this vulnerability
Audit all sources of .keras model files and establish trusted provenance
Avoid loading model files from untrusted or unverified sources
Implement input validation and sandboxing for ML model loading operations
Review any model files received from external parties for suspicious configuration entries

Patch Information

The Keras development team has addressed this vulnerability through Pull Request #20751. Organizations should update their Keras installations to the patched version as soon as possible.

For detailed technical analysis of the vulnerability, refer to the Tower of Hanoi CVE Writeup.

Workarounds

Only load .keras model files from trusted, verified sources until patching is complete
Manually inspect the config.json file within any .keras archive before loading, checking for references to unexpected Python modules
Run model loading operations in isolated container environments with minimal privileges
Implement network isolation for systems that process external model files to limit the impact of potential exploitation

bash

# Inspect a .keras archive before loading
# Extract and examine the config.json for suspicious module references
unzip -p model.keras config.json | python -m json.tool

# Look for any module references that are not from keras, tensorflow, or expected ML libraries
# Suspicious entries may include references to os, subprocess, sys, or other dangerous modules

CVE-2025-1550: Keras Model RCE Vulnerability

CVE-2025-1550 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-1550

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-1550

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-1550

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-1550: Keras Model RCE Vulnerability

CVE-2025-1550 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-1550

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-1550

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-1550

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform