Keras Arbitrary Code Execution Vulnerability via Unsafe Deserialization

A vulnerability in the Keras library's Model.load_model method allows for arbitrary code execution, even when safe_mode is enabled. This issue arises from the ability to create a specially crafted .keras model archive that, when loaded, executes arbitrary code. The exploitation involves manipulating the config.json file within the .keras archive to disable safe mode, after which the Lambda layer feature can be used to execute pickled Python code. Both the config manipulation and the Lambda layer exploitation can coexist in the same archive.

Impact

Exploitation of this vulnerability leads to arbitrary code execution on the system where the model is loaded.

Reproduction

To reproduce this vulnerability, create a .keras model archive that includes a config.json file designed to invoke keras.config.enable_unsafe_deserialization(), effectively disabling safe mode. Once safe mode is disabled, the Lambda layer feature can be used to include arbitrary Python code in the form of pickled data. Ensure that the config.json file is processed before the Lambda layer code to successfully execute the arbitrary code.

Remediation

Users should update to the latest version of Keras, where this vulnerability has been addressed.