Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Malicious model is delivered over the network and loaded without auth or interaction (AV:N/PR:N/UI:N), low-complexity deserialization yields full OS code execution (C/I/A:H).
Primary rating from Vendor (huntr_ai).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the Lambda layer. Specifically, the _raise_for_lambda_deserialization() function fails to enforce the safe-mode guard when safe_mode is set to None, which is the default value when from_config() is called outside of a SafeModeScope context. This logic error conflates None (unset/default-deny) with False (explicitly disabled), bypassing the guard and allowing attacker-controlled marshal bytecode to be deserialized. Affected call sites include keras.layers.deserialize(config), keras.models.clone_model(model), and any direct invocation of Lambda.from_config(config) without an enclosing SafeModeScope(True). This vulnerability can be exploited to achieve arbitrary OS-level code execution in the context of the server or user process.
AnalysisAI
Arbitrary code execution in keras-team/keras 3.14.0 lets remote attackers run OS-level commands by supplying a malicious serialized Lambda layer that is deserialized without an active SafeModeScope. The root cause is _raise_for_lambda_deserialization() treating a None safe_mode (the default when from_config() runs outside a SafeModeScope) as if it were an explicit False, so the safe-mode guard is skipped and attacker-controlled marshal bytecode executes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target application to deserialize an attacker-controlled Keras artifact through `keras.layers.deserialize(config)`, `keras.models.clone_model(model)`, or `Lambda.from_config(config)` while NOT inside an enclosing `SafeModeScope(True)` context - the default `safe_mode=None` is precisely the vulnerable state. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H), indicating a network-reachable, low-complexity, unauthenticated path to total compromise, consistent with the SSVC 'total' technical impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious Keras model or layer config containing a `Lambda` layer whose function is `marshal`-encoded bytecode, then delivers it to a victim service that loads user-supplied models (e.g., a model-hosting or AutoML pipeline). When the service calls `keras.layers.deserialize()` or `clone_model()` outside a `SafeModeScope`, the guard is bypassed and the attacker's bytecode runs as the server process. … |
| Remediation | No vendor-released patched version is identified in the supplied data, so the fix version cannot be cited (EUVD lists only 'unspecified ≤latest' and no tagged release is provided); monitor the Huntr report (https://huntr.com/bounties/59ceaed1-c8a3-4135-8f94-169ade02823d) and NVD (https://nvd.nist.gov/vuln/detail/CVE-2026-12481) for the patched release and upgrade as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Conduct rapid inventory of systems running keras-team/keras 3.14.0 and assess network exposure; immediately restrict external access to model loading endpoints and isolate affected services from sensitive networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Keras Team Keras
View allArbitrary code execution in Keras 3.13.0 occurs because the TFSMLayer class unconditionally loads attacker-supplied Tens
Path traversal in Keras 3.14.0 exposes local file systems to arbitrary file and directory creation when processing malic
Symlink entries in malicious tar archives bypass the `filter_safe_tarinfos` validation in Keras 3.12.0, enabling directo
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41600
GHSA-5gwj-m78q-7pq3