Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-3660
CVE-2024-3660:
Python vulnerability analysis and mitigation
Overview
CVE-2024-3660 is a critical arbitrary code injection vulnerability affecting TensorFlow's Keras framework versions prior to 2.13. The vulnerability was discovered in April 2024 and allows attackers to execute arbitrary code with the same permissions as the application using a model that contains malicious code through Lambda layers (CERT Advisory, NVD). The vulnerability received a CVSS v3.1 base score of 9.8 (Critical) from CISA-ADP.
Technical details
The vulnerability exists in the Lambda Layer functionality of Keras, which allows developers to add arbitrary Python code to a model through lambda functions. When using Model.save() or save_model() methods, this code gets serialized and stored with the model. The vulnerability stems from the unsafe deserialization of Lambda layers in older model formats (v2 SavedModel, legacy H5) that lack proper security checks. The issue is particularly concerning because the marshal module used for serialization is unsafe by design and can execute arbitrary code upon deserialization (Oligo Security).
Impact
When exploited, this vulnerability allows attackers to execute arbitrary code with the same privileges as the ML application environment. This could lead to unauthorized access, data breaches, and complete system compromise. The vulnerability is particularly dangerous in the context of AI/ML supply chains, as attackers could trojanize popular models and redistribute them, affecting dependent applications (CERT Advisory).
Mitigation and workarounds
Users should upgrade to Keras version 2.13 or later, which implements a safemode parameter (defaulting to True) that prevents unsafe Lambda layer deserialization. When loading models, ensure safemode is not set to False. For pre-2.13 applications, it's recommended to run them in a sandbox with no valuable assets in scope. Organizations should also verify the behavior of models before deployment and only use models from trusted sources (CERT Advisory).
Community reactions
Google initially treated this as a documented behavior rather than a vulnerability, as mentioned in their security documentation. However, CERT/CC and its partners pushed for publishing an advisory with a CVE to make it actionable for users to update to safer versions. The security community has highlighted this as an example of the broader security challenges in AI/ML supply chains (CERT Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management