VU#253266: Keras 2 Lambda Layers Allow Arbitrary Code Injection in TensorFlow Models
Lambda Layers in Keras models prior to version 2.13 allow arbitrary code injection, potentially leading to malicious code execution in AI/ML applications. This vulnerability arises from the lack of a safety check when loading models with Lambda layers stored in the older Keras serialization format. The security documentation warns about the risks of executing untrusted models, but this may not be fully understood by all developers. To address the issue, users should upgrade to Keras 2.13 or later, ensuring that the safe_mode parameter is set to True when loading models. Model aggregators should prevent the distribution of models with unsafe features, while creators should avoid using them and prioritize safe serialization formats. Framework developers should employ safer serialization mechanisms and consider restricting the execution of embedded code. By adhering to these measures, AI/ML applications can enhance their security and minimize the risk of malicious code exploitation.