Cyber Resilience

CVE-2025-1550

HighPublic PoC

Published: 11 March 2025

Published
11 March 2025
Modified
31 July 2025
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0988 93.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1550 is a high-severity Code Injection (CWE-94) vulnerability in Keras Keras. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability affects the Keras deep learning framework's Model.load_model function. A manually crafted malicious .keras archive can bypass the safe_mode=True setting by embedding attacker-controlled entries in its config.json file, causing arbitrary Python modules and functions to be imported and executed during deserialization.

An attacker with the ability to supply a model file to a victim application or user can achieve remote or local code execution with the privileges of the loading process. The attack requires the target to invoke load_model on the tainted archive and succeeds even when the documented safe-mode protections are enabled, corresponding to the observed CVSS 7.3 rating that includes local access and limited user interaction.

A fix has been proposed in Keras pull request 20751. The associated technical write-up at towerofhanoi.it details the config.json manipulation technique. The issue is relevant to machine-learning pipelines that load untrusted models; the EPSS score has remained flat at 0.0988 with no observed increase after disclosure.

EU & UK References

Vulnerability details

The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to…

more

be loaded and executed during model loading.

CWE(s)

AI Security AnalysisAI

AI Category
Deep Learning Frameworks
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: keras

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

The vulnerability enables arbitrary code execution in Python via deserialization of a malicious .keras model file during Keras load_model, even with safe_mode=True, exploiting client-side software and leveraging the Python interpreter.

CVEs Like This One

CVE-2026-0897Same product: Keras Keras
CVE-2026-1669Same product: Keras Keras
CVE-2026-8838Shared CWE-94
CVE-2026-44513Shared CWE-94
CVE-2025-33250Shared CWE-94
CVE-2026-31228Shared CWE-94
CVE-2025-66448Shared CWE-94
CVE-2026-0500Shared CWE-94
CVE-2025-27678Shared CWE-94
CVE-2026-40158Shared CWE-94

Affected Assets

keras
keras
3.0.0 — 3.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the arbitrary code execution vulnerability by updating Keras to the patched version addressing the unsafe deserialization in Model.load_model.

prevent

Validates the structure and content of .keras archive files, including config.json, to block malicious modifications that inject arbitrary Python code during model loading.

prevent

Verifies the integrity of .keras model files using cryptographic mechanisms to detect tampering and prevent loading of malicious archives from untrusted sources.

References