CVE-2021-37678

EIP tracks 1 public exploit for CVE-2021-37678. PoCs published by fran-CICS.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-37678, a TensorFlow deserialization vulnerability. It includes a Dockerized environment, malicious YAML payloads for RCE (reverse shell and password file exfiltration), and a demonstration of the patch (replacing `unsafe_load` with `safe_load`).

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/python/keras/saving/model_config.py#L66-L104) uses `yaml.unsafe_load` which can perform arbitrary code execution on the input. Given that YAML format support requires a significant amount of work, we have removed it for now. We have patched the issue in GitHub commit 23d6383eb6c14084a8fc3bdf164043b974818012. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.