Search for packages
| purl | pkg:pypi/keras@2.2.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1wr2-9bym-kke5
Aliases: CVE-2025-12060 GHSA-hjqc-jx6g-rwp9 |
Keras Directory Traversal Vulnerability Keras's `keras.utils.get_file()` function is vulnerable to directory traversal attacks despite implementing `filter_safe_paths()`. The vulnerability exists because `extract_archive()` uses Python's `tarfile.extractall()` method without the security-critical `filter="data"` parameter. A PATH_MAX symlink resolution bug occurs before path filtering, allowing malicious tar archives to bypass security checks and write files outside the intended extraction directory. |
Affected by 4 other vulnerabilities. |
|
VCID-3sjs-86sn-fbe2
Aliases: CVE-2024-3660 GHSA-x4wf-678h-2pmq |
Keras code injection vulnerability A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application. |
Affected by 8 other vulnerabilities. |
|
VCID-4mb7-t1tm-eqf8
Aliases: CVE-2025-12638 GHSA-9g7v-8wxv-mwxp |
Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hjqc-jx6g-rwp9. This link is maintained to preserve external references. ### Original Description Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. The vulnerability arises because the function uses Python's tarfile.extractall() method without the security-critical filter='data' parameter. Although Keras attempts to filter unsafe paths using filter_safe_paths(), this filtering occurs before extraction, and a PATH_MAX symlink resolution bug triggers during extraction. This bug causes symlink resolution to fail due to path length limits, resulting in a security bypass that allows files to be written outside the intended extraction directory. This can lead to arbitrary file writes outside the cache directory, enabling potential system compromise or malicious code execution. The vulnerability affects Keras installations that process tar archives with get_file() and does not affect versions where this extraction method is secured with the appropriate filter parameter. |
Affected by 4 other vulnerabilities. |
|
VCID-4tbn-aaek-rkb9
Aliases: GHSA-5478-v2w6-c6q7 |
Duplicate Advisory: Keras arbitrary code execution vulnerability # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-48g7-3x6r-xfhp. This link is maintained to preserve external references. # Original Description The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading. |
Affected by 13 other vulnerabilities. |
|
VCID-64yr-ww4w-ckdr
Aliases: CVE-2025-9906 GHSA-36fq-jgmw-4r9c PYSEC-2025-76 |
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json (a file within the .keras archive) that will invoke keras.config.enable_unsafe_deserialization() to disable safe mode. Once safe mode is disable, one can use the Lambda layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization() needs to appear first in the archive and the Lambda with arbitrary code needs to be second. |
Affected by 11 other vulnerabilities. |
|
VCID-aw3f-8xuy-d3gw
Aliases: CVE-2026-1462 GHSA-4f3f-g24h-fr8m |
keras: Keras: Arbitrary Code Execution Vulnerability Bypassing Safe Mode |
Affected by 0 other vulnerabilities. |
|
VCID-c11z-ye25-k7eh
Aliases: GHSA-28jp-44vh-q42h |
Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hjqc-jx6g-rwp9. This link is maintained to preserve external references. ### Original Description The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder. This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12). |
Affected by 4 other vulnerabilities. |
|
VCID-h5tb-645a-3fdv
Aliases: CVE-2025-12058 GHSA-mq84-hjqx-cwf2 |
Keras is vulnerable to arbitrary local file loading and Server-Side Request Forgery The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF). This vulnerability stems from the way the StringLookup layer is handled during model loading from a specially crafted .keras archive. The constructor for the StringLookup layer accepts a vocabulary argument that can specify a local file path or a remote file path. * Arbitrary Local File Read: An attacker can create a malicious .keras file that embeds a local path in the StringLookup layer's configuration. When the model is loaded, Keras will attempt to read the content of the specified local file and incorporate it into the model state (e.g., retrievable via get_vocabulary()), allowing an attacker to read arbitrary local files on the hosting system. * Server-Side Request Forgery (SSRF): Keras utilizes tf.io.gfile for file operations. Since tf.io.gfile supports remote filesystem handlers (such as GCS and HDFS) and HTTP/HTTPS protocols, the same mechanism can be leveraged to fetch content from arbitrary network endpoints on the server's behalf, resulting in an SSRF condition. The security issue is that the feature allowing external path loading was not properly restricted by the safe_mode=True flag, which was intended to prevent such unintended data access. |
Affected by 4 other vulnerabilities. |
|
VCID-x454-t8qh-k7g1
Aliases: CVE-2024-55459 GHSA-cjgq-5qmw-rcj6 PYSEC-2025-121 |
An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function. |
Affected by 15 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||