Keras Arbitrary File Loading and Server-Side Request Forgery Vulnerability in Model Loading
Vulnerability
A vulnerability in the Keras library's model loading process allows for arbitrary local file reading and server-side request forgery (SSRF). This issue arises in the StringLookup layer when models are loaded from specially crafted .keras archives. The vulnerability exists in Keras versions prior to the fix implemented in October 2025.
Impact
Exploitation of this vulnerability could lead to unauthorized access to local files on the server where Keras is running, as well as the potential to make arbitrary network requests from the server's context.
Reproduction
To reproduce this vulnerability, create a .keras file that includes a local file path in the StringLookup layer's vocabulary argument. When this model is loaded with the Keras.Model.load_model method, Keras will attempt to read the specified local file, allowing access to its contents. Additionally, because Keras file operations can use remote filesystem handlers and HTTP/HTTPS protocols, this vulnerability can be exploited to fetch data from external network endpoints, creating an SSRF condition.
Remediation
Users can update to the latest version of Keras, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.