GHSA-5478-v2w6-c6q7

Опубликовано: 11 мар. 2025

Источник: github

Github: Прошло ревью

CVSS4: 7.3

Описание

Duplicate Advisory: Keras arbitrary code execution vulnerability

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-48g7-3x6r-xfhp. This link is maintained to preserve external references.

Original Description

The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2025-1550
https://github.com/keras-team/keras/pull/20751
https://github.com/keras-team/keras/commit/e67ac8ffd0c883bec68eb65bb52340c7f9d3a903
https://github.com/keras-team/keras/releases/tag/v3.9.0

Пакеты

Наименование

keras

pip

Затронутые версииВерсия исправления

< 3.9.0

3.9.0

7.3 High

CVSS4

Дефекты

CWE-94

7.3 High

CVSS4

Дефекты

CWE-94