Insufficient Verification Of Data Authenticity

PickleScan is vulnerable to Insufficient Verification of Data Authenticity. The vulnerability is due to a discrepancy in filename handling due to differences between ZIP header filenames and directory listing filenames, which allows an attacker to bypass detection by causing PickleScan to crash...

Arbitrary Code Execution via Crafted Keras Config for Model Loading

Impact The Keras Model.loadmodel function permits arbitrary code execution, even with safemode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their...

CVE-2025-1550

A flaw was found in Keras. This vulnerability allows arbitrary code execution via a maliciously crafted .keras archive that manipulates the config.json file to load and execute arbitrary Python modules and functions, even with safemode=True. Mitigation In order to reduce the success of the attack...

PYSEC-2025-122

The Keras Model.loadmodel function permits arbitrary code execution, even with safemode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, ...

AZL-58360 CVE-2025-1550 affecting package keras for versions less than 3.3.3-2

The Keras Model.loadmodel function permits arbitrary code execution, even with safemode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, ...

UBUNTU-CVE-2025-1550

The Keras Model.loadmodel function permits arbitrary code execution, even with safemode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, ...

CVE-2025-1550 Arbitrary Code Execution via Crafted Keras Config for Model Loading

The Keras Model.loadmodel function permits arbitrary code execution, even with safemode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, ...

PT-2025-10719

Name of the Vulnerable Software and Affected Versions Keras versions 3.0.0 through 3.7.9 Description The Keras Model.load model function allows for arbitrary code execution, even when safe mode is enabled. This occurs through a maliciously crafted .keras archive. An attacker can modify the...

GHSA-7Q5R-7GVP-WC82 Zip Exploit Crashes Picklescan But Not PyTorch

Summary PickleScan is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise...

Zip Exploit Crashes Picklescan But Not PyTorch

Summary PickleScan is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise...

PYSEC-2025-20

picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan...

The vulnerability of the Model Loading API component in NVIDIA Triton Inference Server (previously known as TensorRT Inference Server) allows a malicious actor to trigger a service failure.

The vulnerability of the Model Loading component of NVIDIA Triton Inference Server previously known as TensorRT Inference Server is related to a numerical overflow issue. Exploiting this vulnerability could allow an attacker to cause a service failure...

CVE-2024-53880

NVIDIA Triton Inference Server contains a vulnerability in the model loading API, where a user could cause an integer overflow or wraparound error by loading a model with an extra-large file size that overflows an internal variable. A successful exploit of this vulnerability might lead to denial ...

CVE-2024-53880

NVIDIA Triton Inference Server contains a vulnerability in the model loading API, where a user could cause an integer overflow or wraparound error by loading a model with an extra-large file size that overflows an internal variable. A successful exploit of this vulnerability might lead to denial ...

CVE-2024-53880

NVIDIA Triton Inference Server contains a vulnerability in the model loading API, where a user could cause an integer overflow or wraparound error by loading a model with an extra-large file size that overflows an internal variable. A successful exploit of this vulnerability might lead to denial ...

CVE-2024-53880

The CVE-2024-53880 entry pertains to NVIDIA Triton Inference Server. A vulnerability in the model loading API can trigger an integer overflow/wraparound when loading a model with an extra-large file size, overflow an internal variable, and potentially cause a denial of service. Exploitation detai...

CVE-2024-53880

NVIDIA Triton Inference Server contains a vulnerability in the model loading API, where a user could cause an integer overflow or wraparound error by loading a model with an extra-large file size that overflows an internal variable. A successful exploit of this vulnerability might lead to denial ...

CVE-2025-24357

The CVE-2025-24357 issue centers on vLLM’s hf_model_weights_iterator (vllm/model_executor/weight_utils.py) which loads checkpoints via torch.load with weights_only defaulting to False. If malicious pickle data is unpickled, arbitrary code could execute on the host. This vulnerability is highlight...

CVE-2025-24357 vLLM allows a malicious model RCE by torch.load in hf_model_weights_iterator

vLLM is a library for LLM inference and serving. vllm/modelexecutor/weightutils.py implements hfmodelweightsiterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weightsonly parameter defaults to False. When torch.load loads malicious...

CVE-2024-49375 Remote Code Execution via Remote Model Loading in Rasa

Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: 1. The HTTP API must be enabled on t...