Skip to main content

Python CVE-2025-1550

CRITICAL
Code Injection (CWE-94)
2025-03-11 cve-coordination@google.com GHSA-48g7-3x6r-xfhp
Python Red Hat RCE
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.2 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
PoC Detected
Jul 31, 2025 - 16:55 vuln.today
Public exploit code
Patch released
Jul 31, 2025 - 16:55 nvd
Patch available
CVE Published
Mar 11, 2025 - 09:15 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on keras (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionCVE.org

The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading.

AnalysisAI

Keras Model.load_model can execute arbitrary code even with safe_mode=True by manipulating the config.json inside a .keras archive. An attacker can specify arbitrary Python modules and functions to be loaded during model deserialization. PoC available, patch available.

Technical ContextAI

The .keras archive format includes a config.json that specifies which Python classes to instantiate. While safe_mode=True restricts certain operations, the validation is insufficient (CWE-94) – an attacker can reference arbitrary Python modules and functions with controlled arguments in the config.

Affected ProductsAI

Keras (versions before the fix)

RemediationAI

Update Keras to the latest patched version. Never load models from untrusted sources, even with safe_mode=True. Validate model provenance before loading.

More from same product – last 7 days

CVE-2026-48039 CRITICAL POC
9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL
9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
CVE-2026-45833 CRITICAL
9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U

Vendor StatusVendor

Share

CVE-2025-1550 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy