{ "schema_version": "1.4.0", "id": "GHSA-48g7-3x6r-xfhp", "modified": "2025-03-11T20:07:32Z", "published": "2025-03-11T20:07:32Z", "aliases": [ "CVE-2025-1550" ], "summary": "Arbitrary Code Execution via Crafted Keras Config for Model Loading", "details": "### Impact\n\nThe Keras `Model.load_model` function permits arbitrary code execution, even with `safe_mode=True`, through a manually constructed, malicious `.keras` archive. By altering the `config.json` file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading.\n\n### Patches\n\nThis problem is fixed starting with version `3.9`.\n\n### Workarounds\n\nOnly load models from trusted sources and model archives created with Keras.\n\n### References\n\n- https://www.cve.org/cverecord?id=CVE-2025-1550\n- https://github.com/keras-team/keras/pull/20751", "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "keras" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.9.0" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/keras-team/keras/security/advisories/GHSA-48g7-3x6r-xfhp" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550" }, { "type": "WEB", "url": "https://github.com/keras-team/keras/pull/20751" }, { "type": "WEB", "url": "https://github.com/keras-team/keras/commit/e67ac8ffd0c883bec68eb65bb52340c7f9d3a903" }, { "type": "PACKAGE", "url": "https://github.com/keras-team/keras" }, { "type": "WEB", "url": "https://github.com/keras-team/keras/releases/tag/v3.9.0" } ], "database_specific": { "cwe_ids": [ "CWE-94" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-03-11T20:07:32Z", "nvd_published_at": null } }