Critical Keras 3 RCE Flaw (CVE-2025-49655, CVSS 9.8) Allows Code Execution on Model Load

Researchers at HiddenLayer have disclosed a critical arbitrary code execution vulnerability in the Keras 3 deep learning framework (CVE-2025-49655, CVSS 9.8), which affects the Torch backend of Keras 3.11.0 through 3.11.2. The flaw arises from insecure deserialization within the TorchModuleWrapper class, potentially allowing attackers to execute arbitrary system commands simply by loading a malicious model file — even when using Keras’ “safe mode.”

According to the HiddenLayer report, “an arbitrary code execution vulnerability exists in the TorchModuleWrapper class due to its usage of torch.load() within the from_config method.”

The core issue is that the method calls:

torch.load(buffer, weights_only=False)

with the weights_only flag explicitly set to False. This parameter tells PyTorch to fall back to Python’s pickle module for deserialization — a known unsafe mechanism that can execute arbitrary Python functions during object loading.

As the researchers explained, “Since pickle is known to be unsafe and capable of executing arbitrary code during the deserialization process, a maliciously crafted model file could allow an attacker to execute arbitrary commands.”

HiddenLayer demonstrated the exploit by crafting a simple payload class that abuses Python’s __reduce__ method to call os.system() upon deserialization.

The proof-of-concept involves encoding a malicious object using base64, embedding it into the TorchModuleWrapper configuration, and then invoking from_config() to trigger the deserialization chain. Once executed, the system runs arbitrary shell commands, demonstrating full local code execution capability.

The HiddenLayer research warns that the vulnerability’s impact extends beyond development misuse. Attackers can weaponize legitimate Keras model files (.keras) to deliver hidden payloads.

“An attacker can embed the same malicious payload into a model configuration, so that any user loading the model, even in ‘safe’ mode, will trigger the exploit.”

By inserting a serialized malicious object into the model’s config.json, the payload executes automatically whenever a victim loads the model — even if safe_mode=True is enabled, which is meant to restrict unsafe operations during loading.

HiddenLayer confirmed that Keras versions 3.11.0 through 3.11.2 are vulnerable. The issue affects systems using PyTorch as the backend (KERAS_BACKEND=”torch”), though configurations using JAX, TensorFlow, or OpenVINO are unaffected.

Because Keras is widely used in research, academic, and production ML pipelines, this vulnerability poses a high-impact threat to ML supply chain security. HiddenLayer categorizes it as a CVSS 9.8 critical-severity flaw, noting that “any user who loads this crafted model will unknowingly execute arbitrary commands on their machine.”

Related Posts:

• Keras Deep Learning Framework Hit by Arbitrary Code Execution Vulnerability (CVE-2025-1550)
• CVSS 9.8: Backend.AI Critical Flaw Allows Account Takeover via PoC, No Patch Available
• Agent Tesla Loader Evolves: New Evasive Techniques Pose Rising Threat

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy