Introduction
Attackers can achieve arbitrary code execution on any system that loads a malicious Keras model file crafted to exploit deserialization flaws in TorchModuleWrapper, even when safe mode is enabled. This vulnerability affects a wide range of machine learning workflows, including automated pipelines and collaborative research environments where model files are routinely shared and loaded from external sources.
About Keras: Keras is a leading open source deep learning framework maintained by Google. It serves as a high level API for building and training neural networks, supporting TensorFlow, PyTorch, and JAX as computational backends. With over 62,000 GitHub stars and adoption in over 300,000 projects, Keras is a foundational tool in both academic and industry AI development.
Technical Information
CVE-2025-49655 is a deserialization vulnerability in Keras versions 3.11.0 up to but not including 3.11.3. The flaw resides in the model loading mechanism when deserializing TorchModuleWrapper objects from .keras model archives. Attackers can craft a config.json within a .keras archive that defines a TorchModuleWrapper layer with malicious initialization parameters. During deserialization, Keras instantiates both the wrapper and the underlying PyTorch module. In affected versions, the safe mode checks do not sufficiently validate the parameters passed to TorchModuleWrapper, allowing arbitrary code execution during model loading. This vulnerability can be triggered by loading either local or remote model files, and does not require user interaction beyond the act of loading the model. The root cause is insufficient validation of deserialized parameters for TorchModuleWrapper, allowing the attacker to specify values that result in execution of arbitrary Python code. No public code snippets are available for this vulnerability.
Affected Systems and Versions
- Keras framework versions 3.11.0, 3.11.1, and 3.11.2 are affected
- All configurations are vulnerable if they load model files containing TorchModuleWrapper layers from untrusted sources
- Vulnerability is present regardless of whether safe mode is enabled
Vendor Security History
Keras has experienced multiple deserialization vulnerabilities in recent years, including:
- CVE-2024-3660: Arbitrary code execution via Lambda layers
- CVE-2025-1550: Safe mode bypass through configuration manipulation
- CVE-2025-8747: Code execution via internal function misuse
- CVE-2025-9906: Safe mode bypass through configuration ordering
The vendor has responded with incremental improvements to safe mode and rapid patch releases, but repeated bypasses highlight ongoing architectural challenges in secure model deserialization.