CVE-2025-1550: Keras arbitrary code execution vulnerability

March 11, 2025

The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading.

References

github.com/advisories/GHSA-5478-v2w6-c6q7
github.com/keras-team/keras
github.com/keras-team/keras/commit/e67ac8ffd0c883bec68eb65bb52340c7f9d3a903
github.com/keras-team/keras/pull/20751
github.com/keras-team/keras/releases/tag/v3.9.0
nvd.nist.gov/vuln/detail/CVE-2025-1550

Code Behaviors & Features

Detect and mitigate CVE-2025-1550 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →