Keras Saveable Unprotected Deserialization β RCE PoC
WARNING: MALICIOUS FILE β SECURITY RESEARCH ONLY
Vulnerability
File: keras/src/saving/keras_saveable.py
Function: _unpickle_model(), __reduce__()
Type: Remote Code Execution (Insecure Deserialization)
Description
KerasSaveable.__reduce__() returns _unpickle_model which calls
_load_model_from_fileobj(safe_mode=False) with no allowlist protection.
class KerasSaveable:
def __reduce__(self):
return (_unpickle_model, (buffer,))
def _unpickle_model(buffer):
return _load_model_from_fileobj(buffer, safe_mode=False) # NO PROTECTION
When a victim calls pickle.load() on a malicious KerasSaveable pickle,
arbitrary code execution occurs through the hardcoded safe_mode=False.
Impact
- Severity: Critical (CVSS 9.1)
- Attack Vector: Serve malicious pickle β victim calls pickle.load()
- Result: Arbitrary code execution as the process user
Reproduction
import pickle
with open("malicious_keras_rce.pkl", "rb") as f:
result = pickle.load(f) # RCE triggered via __reduce__
References
- Downloads last month
- -
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support