AI Threat Alert

CVE-2025-1550: Keras: safe_mode bypass enables RCE via model loading

GHSA-48g7-3x6r-xfhp CRITICAL PoC AVAILABLE CISA: ATTEND
Published March 11, 2025
CISO Take

Any organization running Keras 3.x that loads .keras model files must patch to 3.9.0 immediately — the safe_mode=True flag, often cited as a security control, is completely bypassed. This is particularly dangerous in MLOps pipelines and model registries that ingest externally sourced models. Treat any .keras file loaded from outside your trust boundary as a potential code execution vector until patched.

What is the risk?

Extremely high. CVSS 9.8 with network attack vector, zero authentication required, and zero user interaction needed beyond the normal act of loading a model — which is standard, trusted behavior in ML workflows. The safe_mode bypass is the critical aggravating factor: security-conscious teams may have relied on this flag as a compensating control, creating a false sense of security. Exploit complexity is low; a proof-of-concept writeup is already public. EPSS of 4.8% suggests active exploitation interest. AI/ML systems are disproportionately exposed because model loading is a core, frequent operation trusted implicitly.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Keras pip No patch
64.1K OpenSSF 7.1 1.6K dependents Pushed 5d ago 48% patched ~32d to patch Full package profile →
Keras pip >= 3.0.0, < 3.9.0 3.9.0
64.1K OpenSSF 7.1 1.6K dependents Pushed 5d ago 48% patched ~32d to patch Full package profile →

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
2.8%
chance of exploitation in 30 days
Higher than 85% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Exploit published in Exploit-DB
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

7 steps

  1. Patch immediately

    Upgrade Keras to 3.9.0 or later. Run pip install keras>=3.9.0 across all environments (dev, staging, prod).

  2. Audit model sources

    Inventory all locations where .keras files are loaded from. Block loading from untrusted sources at the pipeline level.

  3. Remove safe_mode reliance

    Do not treat safe_mode=True as a security boundary — it is not. Remove any security documentation or runbooks that cite it as a control.

  4. Implement model signing

    Enforce cryptographic signing and verification of model artifacts before loading. Consider tools like Sigstore or internal PKI for model provenance.

  5. Sandboxed model loading

    Run model loading in isolated containers/VMs with minimal filesystem and network access. Use seccomp profiles to restrict syscalls.

  6. Detection

    Alert on unexpected child process creation, outbound network connections, or file writes during model loading operations. Monitor for subprocess, os.system, eval, exec calls in Python processes handling model files.

  7. Model registry controls

    Enforce that only models loaded from internal, verified registries (e.g., MLflow with integrity checks) are used in production.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model AML.T0010.003 AML.T0011.000 AML.T0018.002 AML.T0049 AML.T0050 AML.T0058

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.6 - AI system supply chain management A.8.5 - AI system security
NIST AI RMF
GOVERN 1.7 - Processes for AI risk identification and management MANAGE 2.2 - Risk treatment and mitigation
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-1550?

Any organization running Keras 3.x that loads .keras model files must patch to 3.9.0 immediately — the safe_mode=True flag, often cited as a security control, is completely bypassed. This is particularly dangerous in MLOps pipelines and model registries that ingest externally sourced models. Treat any .keras file loaded from outside your trust boundary as a potential code execution vector until patched.

Is CVE-2025-1550 actively exploited?

A working exploit for CVE-2025-1550 is published in Exploit-DB, increasing the risk of exploitation.

How to fix CVE-2025-1550?

1. **Patch immediately**: Upgrade Keras to 3.9.0 or later. Run `pip install keras>=3.9.0` across all environments (dev, staging, prod). 2. **Audit model sources**: Inventory all locations where .keras files are loaded from. Block loading from untrusted sources at the pipeline level. 3. **Remove safe_mode reliance**: Do not treat safe_mode=True as a security boundary — it is not. Remove any security documentation or runbooks that cite it as a control. 4. **Implement model signing**: Enforce cryptographic signing and verification of model artifacts before loading. Consider tools like Sigstore or internal PKI for model provenance. 5. **Sandboxed model loading**: Run model loading in isolated containers/VMs with minimal filesystem and network access. Use seccomp profiles to restrict syscalls. 6. **Detection**: Alert on unexpected child process creation, outbound network connections, or file writes during model loading operations. Monitor for subprocess, os.system, eval, exec calls in Python processes handling model files. 7. **Model registry controls**: Enforce that only models loaded from internal, verified registries (e.g., MLflow with integrity checks) are used in production.

What systems are affected by CVE-2025-1550?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps platforms, model registries, CI/CD pipelines.

What is the CVSS score for CVE-2025-1550?

CVE-2025-1550 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 2.80%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps platformsmodel registriesCI/CD pipelines

MITRE ATLAS Techniques

AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.1.6, A.8.5
NIST AI RMF: GOVERN 1.7, MANAGE 2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading.

Exploitation Scenario

An adversary targets an organization using Keras for LLM fine-tuning or inference. They publish a 'fine-tuned LLaMA adapter' on a public model hub, or send a model file via a phishing email to an ML engineer. The .keras archive contains a crafted config.json specifying `__class_name__: subprocess.Popen` with arguments establishing a reverse shell. The engineer loads the model — even explicitly passing `safe_mode=True` — and within seconds the attacker has an interactive shell running as the ML service account. From there they pivot to the training data S3 bucket, exfiltrate model weights (IP theft), or implant a backdoor in production inference services. The entire attack chain requires zero prior access and is triggered by a single, routine ML workflow action.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 11, 2025
Last Modified
July 31, 2025
First Seen
March 11, 2025

Related Vulnerabilities

CRITICAL CVE-2025-49655 9.8

keras: Deserialization enables RCE

Same package: keras
CRITICAL CVE-2025-12060 9.8

keras: Path Traversal enables file access

Same package: keras
CRITICAL CVE-2024-3660 9.8

Keras: RCE via malicious model deserialization

Same package: keras
CRITICAL CVE-2024-49326 9.8

Affiliator WP Plugin: Unauthenticated Web Shell Upload

Same package: keras
HIGH CVE-2026-1462 8.8

Keras: safe_mode bypass allows RCE via model deserialization

Same package: keras
Back to Threat Feed