Vulnerability Report: Arbitrary File Write via Path Traversal (ZipSlip) in Keras 3 Model LoadingSummaryA path traversal vulnerability exists in the Keras 3 .keras model loading process. When a .keras file (which is a ZIP archive) is loaded using keras.models.load_model(), the library extracts the contents of the assets directory. If the archive contains files with path traversal sequences (e.g., ../../), Keras may extract these files to arbitrary locations on the host system, depending on the underlying environment's ZIP handling. This can lead to Arbitrary File Write and potentially Remote Code Execution (RCE) if sensitive files like .bashrc or cron jobs are overwritten.TargetKeras Native (.keras) - Keras 3.xImpact•Arbitrary File Write: An attacker can write files to any location the user has permissions for.•Remote Code Execution (RCE): By overwriting configuration files or adding scripts to startup directories, an attacker can achieve persistent RCE.•Scanner Bypass: Many model scanners focus on config.json and Lambda layers, often ignoring the assets/ directory within the ZIP archive.Proof of Concept (PoC)The PoC consists of a crafted .keras file that attempts to write a file to /tmp/zipslip_success upon being loaded.
- Downloads last month
- 3