Arbitrary Code Execution via Tensorflow's Load Function

Description

Tensorflow's low-level load function may result in arbitrary code execution. The load function can deserialize untrusted data, potentially leading to code injection attacks.

Examples

Insecure Code

python

tensorflow.saved_model.load('untrusted_model.pkl')

Secure Code

python

tensorflow.saved_model.load('trusted_model.pkl')

Remediation

Use the `tensorflow.saved_model.load()` function with a trusted model path and ensure that the model file is not tampered with or comes from an untrusted source.

Rule Details

Field	Value
ID	CODE-0247
Category	Deserialization
Severity	CRITICAL
CWE	CWE-502
Confidence	MEDIUM
Impact	HIGH
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	deserialization, code-injection
OWASP	N/A

References

https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Arbitrary Code Execution via Tensorflow's Load Function

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Arbitrary Code Execution via Tensorflow's Load Function ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Arbitrary Code Execution via Tensorflow's Load Function

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References