Keras Safe Mode Bypass Vulnerability Allowing Arbitrary Code Execution

A vulnerability has been identified in Keras versions 3.0.0 through 3.10.0, allowing for arbitrary code execution by bypassing the 'safe mode' feature. This issue arises in the 'Model.load_model' method, where an attacker can persuade a user to load a malicious '.keras' model archive. The vulnerability exploits the deserialization of Lambda layers, which can contain embedded Python code, and takes advantage of Keras's Functional API to execute arbitrary functions available on the victim's machine.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the machine where the malicious model is loaded.

Reproduction

To reproduce this vulnerability, create a Keras model that includes a Lambda layer. This layer can be configured to execute a function that, for example, downloads a file from the internet and saves it to a specific location on the local file system. Once the model is saved as a '.keras' archive, it can be loaded using the 'Model.load_model' method with 'safe_mode' set to True. Despite the safe mode, the embedded code in the Lambda layer will execute, demonstrating the vulnerability.

Remediation

Users can update to Keras version 3.10.1 or later, where this vulnerability has been addressed.