YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Keras CWE-789: Uncontrolled Memory Allocation in .keras Format
Status: FINDING CONFIRMED β READY TO SUBMIT
Severity: High (P2) β DoS
Target
- Repo: keras-team/keras
- Platform: huntr.com
- Format:
.keras(ZIP archive with config.json + model.weights.h5)
Vulnerable Files
| File | Line | Issue |
|---|---|---|
keras/src/saving/saving_lib.py |
_model_from_config() |
Raw json.loads(), no sanitization of integer values |
keras/src/saving/serialization_lib.py |
deserialize_keras_object() |
Immediate instantiation without bounds validation |
keras/src/layers/core/dense.py |
__init__() / build() |
units > 0 only β no upper bound |
keras/src/layers/core/embedding.py |
build() |
input_dim > 0, output_dim > 0 only β no upper bound |
keras/src/layers/rnn/lstm.py |
build() |
units * 4 gate multiplier makes it 4x more dangerous |
Missing Check
# Present (Dense.__init__):
if not isinstance(units, int) or units <= 0:
raise ValueError(...)
# MISSING:
if units > MAX_SAFE_UNITS:
raise ValueError(f"units={units} exceeds safe limit")
Attack Variants
| Variant | Config Value | Expected Allocation |
|---|---|---|
| Dense | units=2_000_000_000 |
~8 GB float32 |
| LSTM | units=500_000_000 |
~8 GB (Γ4 gate multiplier) |
| Embedding | input_dim=100k, output_dim=100k |
~40 GB float32 |
PoC Files
poc_keras_dos.pyβ generates all 3 variants and triggers loadmalicious_dense.kerasβ Dense OOM payload (generated by script)malicious_lstm.kerasβ LSTM OOM payload (generated by script)malicious_emb.kerasβ Embedding OOM payload (generated by script)
Reproduction
pip install keras h5py
python poc_keras_dos.py
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support