YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Keras โ safe_mode=False Bypass via reduce() PoC
Summary
Keras KerasSaveable.__reduce__() and _unpickle_model() in keras/src/saving/keras_saveable.py:22
always pass safe_mode=False when loading models via pickle. This bypasses Keras's safe_mode=True
protection that was designed to prevent arbitrary code execution.
Attack Vector
When Keras models are used with distributed computing frameworks (Ray, Dask, multiprocessing, joblib),
they get pickled via __reduce__(). During unpickling, _unpickle_model() loads the model with
safe_mode=False, allowing arbitrary code execution through lambda layers or custom objects.
Files
malicious_keras_model.pklโ Demonstrates RCE via pickle.load()
Reproduction
import pickle
# Loading a malicious pickled Keras model triggers RCE
with open("malicious_keras_model.pkl", "rb") as f:
model = pickle.load(f) # RCE via safe_mode=False bypass
Affected Version
Keras 3.x (commit d9966a5c09acce4713d68fe1a7cd96713620e211)
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support