Miggo Logo
Miggo Vulnerability Database
GHSA-77wq-646f-jrm2

GHSA-77wq-646f-jrm2: Duplicate Advisory: The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-77wq-646f-jrm2
EPSS Score
-
CWE
CWE-913
Published
9/19/2025
Updated
9/19/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
keraspip>= 3.0.0, < 3.11.33.11.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the model loading process for the legacy .h5/.hdf5 format in Keras 3. The root cause is that the safe_mode=True parameter in the top-level keras.saving.load_model function was not being propagated down to the function responsible for handling H5 files, keras.legacy.saving.legacy_h5_format.load_model_from_hdf5.

The exploit takes advantage of the Lambda layer in Keras, which allows for the serialization of arbitrary Python code. An attacker can create a malicious H5 model file containing a pickled Lambda layer. When this model is loaded using load_model, the absence of the safe_mode check in the H5 loading path allows the Lambda.from_config method to deserialize and execute the embedded arbitrary code.

The patch addresses this by ensuring the safe_mode parameter is passed through the entire call chain, from saving_api.load_model to legacy_h5_format.load_model_from_hdf5. The latter function was modified to accept the safe_mode parameter and use a SafeModeScope to conditionally block the deserialization of Lambda layers, thus preventing the arbitrary code execution.

Vulnerable functions

saving_api.load_model
keras/src/saving/saving_api.py
This is the main user-facing API for loading models. The vulnerability lies in the fact that this function did not pass the `safe_mode` parameter to the underlying `legacy_h5_format.load_model_from_hdf5` function when loading a model from an H5 file. This meant that even if the user specified `safe_mode=True`, it was ignored for this file format.
legacy_h5_format.load_model_from_hdf5
keras/src/legacy/saving/legacy_h5_format.py
This function is responsible for the actual loading of the model from an HDF5 file. The original implementation did not have a `safe_mode` parameter, and therefore, it never enforced any safety checks during deserialization. The patch adds the `safe_mode` parameter and uses a `SafeModeScope` to control the deserialization process, preventing arbitrary code execution.
lambda_layer.Lambda.from_config
keras/src/layers/core/lambda_layer.py
This class method is responsible for deserializing a `Lambda` layer from its configuration. The vulnerability is triggered here because, without `safe_mode` being enforced, it proceeds to deserialize a Python lambda function, which can be crafted to execute arbitrary code. The patch ensures that `_raise_for_lambda_deserialization` is called, which will raise an error if `safe_mode` is active.

WAF Protection Rules

WAF Rule

### *upli**t* **visory T*is **visory **s ***n wit**r*wn ****us* it is * *upli**t* o* **S*-**rr-ww*j-vrjv. T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. ### Ori*in*l **s*ription T** K*r*s Mo**l.lo**_mo**l m*t*o* **n ** *xploit** to ***i*v*

Reasoning

T** vuln*r**ility *xists in t** mo**l lo**in* pro**ss *or t** l****y `.**`/`.****` *orm*t in K*r*s *. T** root **us* is t**t t** `s***_mo**=Tru*` p*r*m*t*r in t** top-l*v*l `k*r*s.s*vin*.lo**_mo**l` *un*tion w*s not **in* prop***t** *own to t** *un*t