Keras Arbitrary Code Execution Vulnerability in Legacy HDF5 Model Loading

A vulnerability in the Keras library's model loading function for the legacy HDF5 format (.h5/.hdf5) allows for arbitrary code execution. This issue arises because the 'safe_mode=True' option is not properly enforced when loading .h5 archives, creating the potential for exploitation. The vulnerability leverages the Lambda layer feature, which can execute arbitrary Python code through pickling. Although Keras 3 maintains this format for compatibility, the lack of effective safety measures presents a significant risk.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of arbitrary code within the application using Keras.

Reproduction

To reproduce this vulnerability, create a malicious .h5 or .hdf5 file that includes a Lambda layer with pickled Python code. When this file is loaded using the Model.load_model method, the embedded code will be executed, bypassing the 'safe_mode=True' safeguard. This can be done by crafting the model archive to exploit the legacy HDF5 format handling in Keras.

Remediation

Users can update to Keras version 3.11.3, which restores the 'safe_mode' functionality in the legacy H5 loading process, preventing the execution of unsafe custom objects by default.