Keras Model.load_model Function Arbitrary Code Execution Vulnerability

A vulnerability in the Keras library's Model.load_model function allows for arbitrary code execution, even when safe_mode is enabled. This issue arises from the ability to create a malicious .keras archive that, when loaded, executes specified Python modules and functions with their arguments. The vulnerability is present in Keras versions 3.6 and prior, and is caused by insufficient validation during the deserialization of functional models, which can be exploited by manipulating the config.json file within the .keras archive.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of arbitrary code within the context of the user running the Keras application.

Reproduction

To reproduce this vulnerability, create a .keras archive that includes a config.json file. In this file, specify malicious Python modules and functions to be executed during the model loading process. Ensure that the archive is loaded using the Model.load_model function with safe_mode set to True.

Remediation

Users can update to Keras version 3.7 or later, where this vulnerability has been addressed.