Keras Framework Arbitrary Code Execution Vulnerability in TorchModuleWrapper Class

A vulnerability allowing arbitrary code execution exists in the Keras framework, specifically in versions 3.11.0 prior to 3.11.3. The issue arises in the TorchModuleWrapper class, where the from_config method deserializes model data using torch.load() with the weights_only parameter set to False. This configuration causes Torch to rely on Python's pickle module for deserialization, which is inherently unsafe and can execute arbitrary code. A maliciously crafted Keras model file could exploit this behavior, executing unauthorized commands on the user's system when the model is loaded, even with safe mode enabled. The vulnerability can be triggered with both local and remote files.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the user's system.

Reproduction

The vulnerability can be reproduced by creating a Keras model file that includes a malicious payload designed to execute code when the model is deserialized. This can be done by embedding the payload into the model's configuration and then saving it as a .keras file. Once the file is created, it can be loaded in Keras, triggering the execution of the embedded code. This vulnerability can also be reproduced with remote files by using the hf: link to load a malicious model from a private repository.

Remediation

Users can upgrade to Keras version 3.11.3, which disables the unsafe deserialization in the TorchModuleWrapper class when safe mode is enabled.