-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| keras | pip | < 3.11.0 | 3.11.0 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in the deserialization of Keras models, specifically in the handling of the model's configuration file (config.json) within a .keras archive. The core of the issue is that the deserialization process allowed for the instantiation of arbitrary classes, which could be leveraged for remote code execution.
The analysis of the patch commit 713172ab56b864e59e2aa79b1a51b0e728bba858 reveals that the main fix is in the keras/src/saving/serialization_lib.py file. The function _retrieve_class_or_fn was modified to ensure that only classes that are subclasses of KerasSaveable can be deserialized. Before this change, any class could be loaded, which is the root cause of the vulnerability.
The user-facing API that triggers this vulnerability is keras.saving.load_model (or Model.load_model). This function reads the model archive and initiates the deserialization process. During this process, deserialize_keras_object is called, which in turn calls the vulnerable _retrieve_class_or_fn function.
Therefore, the identified vulnerable functions are keras.saving.serialization_lib._retrieve_class_or_fn, which contains the vulnerable code, and keras.saving.serialization_lib.deserialize_keras_object, which is the direct caller that processes the malicious configuration. An attacker can craft a .keras model with a malicious config.json that, when loaded, would cause the _retrieve_class_or_fn function to load and instantiate an arbitrary Python class, leading to code execution. The patch mitigates this by restricting the allowed classes to a safe subset.