A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safe_mode=True. This bypasses the security guarantees of safe_mode and enables arbitrary attacker-controlled code execution during model inference under the victims privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the from_config() method.
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Keras | Keras | 3.13.0 (including) | 3.13.0 (including) |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-modelmesh-runtime-adapter-rhel9:1780394782 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9:1782471734 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9:1782471879 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9:1782471730 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9:1782471835 | * |