CVE-2025-1550

CriticalPublic PoC

Published: 11 March 2025

Published

11 March 2025

Modified

31 July 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0797 92.1th percentile

Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse Python commands and scripts for execution.

Security Summary

CVE-2025-1550 is a critical vulnerability (CVSS 9.8) in the Keras library's Model.load_model function, enabling arbitrary code execution even when safe_mode=True. The issue affects the loading of .keras archive files, where attackers can manually construct a malicious archive by altering the config.json file to specify arbitrary Python modules, functions, and arguments. These are loaded and executed during model deserialization, stemming from CWE-94 (code injection).

Any remote attacker can exploit this without privileges or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By distributing a crafted .keras file—via email, shared repositories, or model marketplaces—an attacker tricks a victim into loading it with Keras, achieving remote code execution on the target's system with high impact on confidentiality, integrity, and availability.

Mitigation details are provided in the Keras team's GitHub pull request #20751, which addresses the flaw. A technical writeup with further analysis is available at towerofhanoi.it/writeups/cve-2025-1550. Security practitioners should update Keras and validate model sources before loading.

Details

CWE(s): CWE-94

Affected Products

keras

3.0.0 — 3.8.0

AI Security Analysis

AI Category: Deep Learning Frameworks
Risk Domain: Supply Chain and Deployment
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Keras is a high-level deep learning framework for building and training neural network models. The vulnerability affects the Keras model loading mechanism (.keras format), enabling arbitrary code execution during deserialization, which is core to deep learning workflows.

MITRE ATT&CK Enterprise Techniques

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability enables arbitrary code execution in Python via deserialization of a malicious .keras model file during Keras load_model, even with safe_mode=True, exploiting client-side software and leveraging the Python interpreter.

References

https://github.com/keras-team/keras/pull/20751
Issue Tracking, Patch · cve-coordination@google.com
https://towerofhanoi.it/writeups/cve-2025-1550/
Exploit, Third Party Advisory · cve-coordination@google.com