Ddos 
Researchers at HiddenLayer have disclosed a critical arbitrary code execution vulnerability in the Keras 3 deep learning framework (CVE-2025-49655, CVSS 9.8), which affects the Torch backend of Keras 3.11.0 through 3.11.2. The flaw arises from insecure deserialization within the TorchModuleWrapper class, potentially allowing attackers to execute arbitrary system commands simply by loading a malicious model file — even when using Keras’ “safe mode.”
According to the HiddenLayer report, “an arbitrary code execution vulnerability exists in the TorchModuleWrapper class due to its usage of torch.load() within the from_config method.”
The core issue is that the method calls:
with the weights_only flag explicitly set to False. This parameter tells PyTorch to fall back to Python’s pickle module for deserialization — a known unsafe mechanism that can execute arbitrary Python functions during object loading.
As the researchers explained, “Since pickle is known to be unsafe and capable of executing arbitrary code during the deserialization process, a maliciously crafted model file could allow an attacker to execute arbitrary commands.”
HiddenLayer demonstrated the exploit by crafting a simple payload class that abuses Python’s __reduce__ method to call os.system() upon deserialization.
The proof-of-concept involves encoding a malicious object using base64, embedding it into the TorchModuleWrapper configuration, and then invoking from_config() to trigger the deserialization chain. Once executed, the system runs arbitrary shell commands, demonstrating full local code execution capability.
The HiddenLayer research warns that the vulnerability’s impact extends beyond development misuse. Attackers can weaponize legitimate Keras model files (.keras) to deliver hidden payloads.
“An attacker can embed the same malicious payload into a model configuration, so that any user loading the model, even in ‘safe’ mode, will trigger the exploit.”
By inserting a serialized malicious object into the model’s config.json, the payload executes automatically whenever a victim loads the model — even if safe_mode=True is enabled, which is meant to restrict unsafe operations during loading.
HiddenLayer confirmed that Keras versions 3.11.0 through 3.11.2 are vulnerable. The issue affects systems using PyTorch as the backend (KERAS_BACKEND=”torch”), though configurations using JAX, TensorFlow, or OpenVINO are unaffected.
Because Keras is widely used in research, academic, and production ML pipelines, this vulnerability poses a high-impact threat to ML supply chain security. HiddenLayer categorizes it as a CVSS 9.8 critical-severity flaw, noting that “any user who loads this crafted model will unknowingly execute arbitrary commands on their machine.”
Donate