Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058)

This report outlines attack scenarios in which malicious pre-trained ML models (for example, .keras models using StringLookup vocabularies) are used to read and exfiltrate local files and cloud metadata—such as SSH private keys, .gitconfig/.netrc credentials, and AWS/GCP/Azure IAM tokens—when loaded by developers, CI systems, or cloud instances, enabling supply-chain compromise, repository takeover, and full cloud infrastructure access.