A security vulnerability has been discovered in Keras, a widely-used multi-backend deep learning framework. The vulnerability, tracked as CVE-2025-1550 with a CVSS score of 7.3, allows for arbitrary code execution.
Keras is known for its versatility, supporting backends like JAX, TensorFlow, PyTorch, and OpenVINO. It empowers developers to build and train models for various applications, including computer vision, natural language processing, audio processing, timeseries forecasting, and recommender systems. Its popularity is evident in its adoption by prominent organizations such as CERN, NASA, and NIH.
The vulnerability lies within the Keras Model.load_model function. Even with safe_mode=True enabled, the function is susceptible to arbitrary code execution through a maliciously crafted .keras archive. Attackers can exploit this by manipulating the config.json file within the archive. This manipulation allows them to specify arbitrary Python modules and functions, along with their arguments, which are then loaded and executed during the model loading process.
The impact of this vulnerability is significant, as it enables attackers to execute arbitrary code on systems using the affected Keras versions.
A patch has been released to address this issue. The vulnerability is fixed in Keras version 3.9 and later. Users are strongly advised to upgrade to version 3.9 or a later version to mitigate the risk.
In addition to upgrading, users are advised to only load models from trusted sources and to use model archives that they have created themselves with Keras. This can serve as a workaround for those who cannot immediately update.
