Arbitrary code injection vulnerability in Keras framework < 2.13

Vulnerability

CVE-2024-3660 is an arbitrary code injection vulnerability in TensorFlow's Keras framework prior to version 2.13. The root cause is the Lambda layer, which allows developers to embed arbitrary Python lambda functions into models. In versions before 2.13, the Model.load_model() method does not adequately restrict deserialization of these Lambda layers, enabling code injection [1][2].

Exploitation

An attacker can craft a model containing a malicious Lambda layer, save it (e.g., in Keras v3, v2 SavedModel, or legacy H5 format), and redistribute it. When a victim loads the model with load_model() without safe_mode (available only in v3 format on 2.13+), the attacker's code executes with the application's permissions. No prior authentication is needed; the attack vector is supply chain through model files [1][2].

Impact

Successful exploitation grants arbitrary code execution in the context of the vulnerable application. This can lead to data theft, system compromise, or supply chain attacks, especially in AI/ML pipelines where models are shared [2][3].

Mitigation

Upgrade to Keras 2.13 or later, which introduces safe_mode that blocks Lambda layer deserialization by default. For older versions, avoid loading models from untrusted sources [4].