CVE-2025-1550
Published: 11 March 2025
Summary
CVE-2025-1550 is a high-severity Code Injection (CWE-94) vulnerability in Keras Keras. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability affects the Keras deep learning framework's Model.load_model function. A manually crafted malicious .keras archive can bypass the safe_mode=True setting by embedding attacker-controlled entries in its config.json file, causing arbitrary Python modules and functions to be imported and executed during deserialization.
An attacker with the ability to supply a model file to a victim application or user can achieve remote or local code execution with the privileges of the loading process. The attack requires the target to invoke load_model on the tainted archive and succeeds even when the documented safe-mode protections are enabled, corresponding to the observed CVSS 7.3 rating that includes local access and limited user interaction.
A fix has been proposed in Keras pull request 20751. The associated technical write-up at towerofhanoi.it details the config.json manipulation technique. The issue is relevant to machine-learning pipelines that load untrusted models; the EPSS score has remained flat at 0.0988 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7406
Vulnerability details
The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to…
more
be loaded and executed during model loading.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Deep Learning Frameworks
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: keras
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary code execution in Python via deserialization of a malicious .keras model file during Keras load_model, even with safe_mode=True, exploiting client-side software and leveraging the Python interpreter.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the arbitrary code execution vulnerability by updating Keras to the patched version addressing the unsafe deserialization in Model.load_model.
Validates the structure and content of .keras archive files, including config.json, to block malicious modifications that inject arbitrary Python code during model loading.
Verifies the integrity of .keras model files using cryptographic mechanisms to detect tampering and prevent loading of malicious archives from untrusted sources.