CVE-2025-1550

CRITICAL NUCLEI

Keras 3.0.0-3.8.0 and 3.9.0 - Remote Code Execution via Malicious .keras Archive

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-1550. PoCs published by Mohammed Idrees Banyamer, ChCh0i. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages insecure deserialization in Keras model loading to achieve remote code execution by embedding a malicious Lambda layer in a crafted .keras file. When the victim loads the model, the embedded `os.system` call executes arbitrary commands.

Description

The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading.

Exploits (2)

exploitdb WORKING POC

by Mohammed Idrees Banyamer · pythonremotepython

https://www.exploit-db.com/exploits/52359

View Code ZIP pw:eip

This exploit leverages insecure deserialization in Keras model loading to achieve remote code execution by embedding a malicious Lambda layer in a crafted .keras file. When the victim loads the model, the embedded `os.system` call executes arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Keras <= 2.15 (with TensorFlow)

No auth needed

Prerequisites: Ability to deliver a malicious .keras file to the victim · Victim must load the model using `load_model()` or `model_from_json()`

MITRE ATT&CK

T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC

by ChCh0i · pythonpoc

https://github.com/ChCh0i/cve-2025-1550

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-1550, demonstrating RCE via malicious Keras model JSON configuration. The exploit manipulates the model's config.json to include a subprocess.Popen call, bypassing validation checks.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Keras (specific version not specified)

No auth needed

Prerequisites: Ability to upload a malicious Keras model file to a vulnerable endpoint

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Keras Model.load_model - Arbitrary Code Execution

CRITICALby nukunga[seunghyeonJeon]

References (2)

Core 2

Core References

Issue Tracking, Patch

https://github.com/keras-team/keras/pull/20751

Exploit, Third Party Advisory

https://towerofhanoi.it/writeups/cve-2025-1550/

Scores

CVSS v3 9.8

EPSS 0.0988

EPSS Percentile 93.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

keras/keras 3.0.0 - 3.8.0

pypi/keras 3.0.0 - 3.9.0PyPI

Published Mar 11, 2025

Tracked Since Feb 18, 2026