Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/keras@3.11.3
Typepypi
Namespace
Namekeras
Version3.11.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-1xj9-1kng-8ua4
vulnerability_id VCID-1xj9-1kng-8ua4
summary Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.
references
0
reference_url https://github.com/keras-team/keras/pull/21880
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/keras-team/keras/pull/21880
fixed_packages
0
url pkg:pypi/keras@3.13.1
purl pkg:pypi/keras@3.13.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ptyp-n4df-aqf1
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.13.1
aliases CVE-2026-0897, PYSEC-2026-73
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1xj9-1kng-8ua4
Fixing_vulnerabilities
0
url VCID-cmug-fp72-8qc4
vulnerability_id VCID-cmug-fp72-8qc4
summary 
Duplicate Advisory: The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-36rr-ww3j-vrjv. This link is maintained to preserve external references.

### Original Description
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True.

One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.

This is achieved by crafting a special .h5 archive file that uses the Lambda layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True option is not honored when reading .h5 archives.

Note that the .h5/.hdf5 format is a legacy format supported by Keras 3 for backwards compatibility.
references
0
reference_url https://github.com/keras-team/keras
reference_id
reference_type
scores
url https://github.com/keras-team/keras
1
reference_url https://github.com/keras-team/keras/pull/21602
reference_id
reference_type
scores
url https://github.com/keras-team/keras/pull/21602
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-9905
reference_id CVE-2025-9905
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-9905
3
reference_url https://github.com/advisories/GHSA-77wq-646f-jrm2
reference_id GHSA-77wq-646f-jrm2
reference_type
scores
url https://github.com/advisories/GHSA-77wq-646f-jrm2
fixed_packages
0
url pkg:pypi/keras@3.11.3
purl pkg:pypi/keras@3.11.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1xj9-1kng-8ua4
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.3
aliases GHSA-77wq-646f-jrm2
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cmug-fp72-8qc4
1
url VCID-dy5p-938j-d7fr
vulnerability_id VCID-dy5p-938j-d7fr
summary 
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True.

One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.

This is achieved by crafting a special .h5 archive file that uses the Lambda layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True option is not honored when reading .h5 archives.

Note that the .h5/.hdf5 format is a legacy format supported by Keras 3 for backwards compatibility.
references
0
reference_url https://github.com/keras-team/keras
reference_id
reference_type
scores
url https://github.com/keras-team/keras
1
reference_url https://github.com/keras-team/keras/pull/21602
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://github.com/keras-team/keras/pull/21602
2
reference_url https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-9905
reference_id CVE-2025-9905
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-9905
4
reference_url https://github.com/advisories/GHSA-36rr-ww3j-vrjv
reference_id GHSA-36rr-ww3j-vrjv
reference_type
scores
url https://github.com/advisories/GHSA-36rr-ww3j-vrjv
fixed_packages
0
url pkg:pypi/keras@3.11.3
purl pkg:pypi/keras@3.11.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1xj9-1kng-8ua4
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.3
aliases CVE-2025-9905, GHSA-36rr-ww3j-vrjv, PYSEC-2025-123
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dy5p-938j-d7fr
2
url VCID-zj76-dr8t-47d2
vulnerability_id VCID-zj76-dr8t-47d2
summary 
Keras framework vulnerable to deserialization of untrusted data
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
references
0
reference_url https://github.com/keras-team/keras
reference_id
reference_type
scores
url https://github.com/keras-team/keras
1
reference_url https://github.com/keras-team/keras/pull/21575
reference_id
reference_type
scores
url https://github.com/keras-team/keras/pull/21575
2
reference_url https://hiddenlayer.com/sai_security_advisor/2025-10-keras
reference_id
reference_type
scores
url https://hiddenlayer.com/sai_security_advisor/2025-10-keras
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-49655
reference_id CVE-2025-49655
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-49655
4
reference_url https://github.com/advisories/GHSA-cvhh-q5g5-qprp
reference_id GHSA-cvhh-q5g5-qprp
reference_type
scores
url https://github.com/advisories/GHSA-cvhh-q5g5-qprp
fixed_packages
0
url pkg:pypi/keras@3.11.3
purl pkg:pypi/keras@3.11.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1xj9-1kng-8ua4
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.3
aliases CVE-2025-49655, GHSA-cvhh-q5g5-qprp
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zj76-dr8t-47d2
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.3