Critical Keras 3 RCE Flaw Allows Code Execution on Model Load

Threat: Vulnerability

Targeted Region: Global

Targeted Sector: Technology & IT

Criticality: Critical

EXECUTIVE SUMMARY:

A critical remote code execution vulnerability CVE-2025-49655, CVSS 9.8 was identified in Keras 3 affecting the Torch backend in versions 3.11.0 through 3.11.2. The flaw resides in the TorchModuleWrapper.from_config() method, which invokes torch.load(..., weights_only=False), leading to unsafe use of Python’s pickle deserialization. This allows a specially crafted .keras model file or configuration to execute arbitrary system commands when loaded — even if safe_mode=True. The issue poses a significant risk to machine learning supply chains, as attackers can exploit it by embedding malicious payloads in shared or downloaded models.

RECOMMENDATION:

We strongly recommend you update Keras to version 3.11.3 or later.

REFERENCES:

The following reports contain further technical details:

https://securityonline.info/critical-keras-3-rce-flaw-cve-2025-49655-cvss-9-8-allows-code-execution-on-model-load/

Recent Advisories

Critical Command Injection Vulnerabilities Discovered in TP-Link Omada Gateway Devices

October 21, 2025

Squid Vulnerability Exposes HTTP Authentication Credentials to Attackers Remotely

October 20, 2025

WaterPlum APT Targets Crypto Job Seekers Through ClickFake Interviews with OtterCandy Malware

October 20, 2025

Critical MitM Vulnerabilities in ConnectWise Automate Allow Remote Compromise of Managed Endpoints

October 18, 2025

Critical Keras 3 RCE Flaw Allows Code Execution on Model Load

Recent Advisories

Report an Incident