YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Keras load_model() HDF5 Shape Bomb PoC
CVE-2026-0897 Bypass - Shape validation missing in primary load path
This repository contains proof-of-concept files demonstrating that the fix for
CVE-2026-0897 (GHSA-mgx6-5cf9-rr43) is incomplete. The shape/size validation
was only added to KerasFileEditor but NOT to the primary load_model() path.
Vulnerability
keras.saving.load_model() loads HDF5 weight datasets via H5IOStore.__getitem__()
which calls np.array(dataset) without validating the dataset's declared shape.
A crafted .keras file can declare HDF5 shapes requiring petabytes of memory,
causing immediate Denial of Service.
Files
| File | Size | Description |
|---|---|---|
| shape_bomb_extreme.keras | 885 B | Claims 8.88 PiB (50M x 50M float32) |
| shape_bomb_moderate.keras | 1.3 KB | Claims 40 GB (100K x 100K float32) |
| generate_poc.py | - | Generates the PoC files |
| verify_bypass.py | - | Proves the CVE-2026-0897 bypass without crashing |
Reproduction
import keras
# Crashes with MemoryError:
model = keras.saving.load_model("shape_bomb_extreme.keras")
# KerasFileEditor correctly rejects (fixed by CVE-2026-0897):
editor = keras.saving.KerasFileEditor("shape_bomb_extreme.keras")
Tested on
- keras 3.14.1 (latest, includes CVE-2026-0897 fix)
- Python 3.12, h5py 3.16.0, numpy 2.x
License
MIT
- Downloads last month
- 51
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support