YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
MFV Submission: Keras non-Lambda Code Execution (CVE-2025-1550 style)
Summary
ModelScan's Keras scanner only checks for class_name == "Lambda" to detect
malicious layers. However, Keras's deserialize_keras_object allows arbitrary
module imports via the _retrieve_class_or_fn function, which is not
protected by safe_mode for non-Lambda objects.
The Gap
- ModelScan checks:
layer.get("class_name", {}) == "Lambda" - Keras loads: ANY
module.class_namepair (e.g.,subprocess.Popen) - Safe_mode=False is NOT required for non-Lambda objects
Attack Vector
A .keras file with a crafted config.json containing:
{
"module": "subprocess",
"class_name": "Popen",
"inbound_nodes": [{"args": [["command"]], "kwargs": {}}]
}
ModelScan Detection
ModelScan scans .keras files using KerasLambdaDetectScan which only
identifies Lambda layers. The malicious layer uses class_name: "Popen"
which completely bypasses detection.
Impact
RCE when loaded by Keras < 3.9 (vulnerable versions). ModelScan reports "NO ISSUES FOUND" despite the malicious payload.
Related
- CVE-2025-1550 (Keras arbitrary module import)
- GHSA-48g7-3x6r-xfhp
- Downloads last month
- -
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support