{"url":"http://public2.vulnerablecode.io/api/packages/44620?format=json","purl":"pkg:pypi/keras@3.1.1","type":"pypi","namespace":"","name":"keras","version":"3.1.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.13.2","latest_non_vulnerable_version":"3.13.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49319?format=json","vulnerability_id":"VCID-1wr2-9bym-kke5","summary":"Keras Directory Traversal Vulnerability\nKeras's `keras.utils.get_file()` function is vulnerable to directory traversal attacks despite implementing `filter_safe_paths()`. The vulnerability exists because `extract_archive()` uses Python's `tarfile.extractall()` method without the security-critical `filter=\"data\"` parameter. A PATH_MAX symlink resolution bug occurs before path filtering, allowing malicious tar archives to bypass security checks and write files outside the intended extraction directory.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12060.json","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12060.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12060","reference_id":"","reference_type":"","scores":[{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28132","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12060"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12060","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12060"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951"},{"reference_url":"https://github.com/keras-team/keras/pull/21760","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-01T03:55:52Z/"}],"url":"https://github.com/keras-team/keras/pull/21760"},{"reference_url":"https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2407443","reference_id":"2407443","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2407443"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12060","reference_id":"CVE-2025-12060","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12060"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12638","reference_id":"CVE-2025-12638","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12638"},{"reference_url":"https://github.com/advisories/GHSA-hjqc-jx6g-rwp9","reference_id":"GHSA-hjqc-jx6g-rwp9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hjqc-jx6g-rwp9"},{"reference_url":"https://github.com/keras-team/keras/security/advisories/GHSA-hjqc-jx6g-rwp9","reference_id":"GHSA-hjqc-jx6g-rwp9","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-01T03:55:52Z/"}],"url":"https://github.com/keras-team/keras/security/advisories/GHSA-hjqc-jx6g-rwp9"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22759","reference_id":"RHSA-2025:22759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22759"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23531","reference_id":"RHSA-2025:23531","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23531"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47087?format=json","purl":"pkg:pypi/keras@3.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.12.0"}],"aliases":["CVE-2025-12060","GHSA-hjqc-jx6g-rwp9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1wr2-9bym-kke5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37184?format=json","vulnerability_id":"VCID-1xj9-1kng-8ua4","summary":"Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0897.json","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0897.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0897","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13663","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0897"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0897","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0897"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/7360d4f0d764fbb1fa9c6408fe53da41974dd4f6","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/7360d4f0d764fbb1fa9c6408fe53da41974dd4f6"},{"reference_url":"https://github.com/keras-team/keras/commit/f704c887bf459b42769bfc8a9182f838009afddb","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/f704c887bf459b42769bfc8a9182f838009afddb"},{"reference_url":"https://github.com/keras-team/keras/pull/21880","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-15T16:31:40Z/"}],"url":"https://github.com/keras-team/keras/pull/21880"},{"reference_url":"https://github.com/keras-team/keras/pull/22081","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/pull/22081"},{"reference_url":"https://github.com/keras-team/keras/security/advisories/GHSA-mgx6-5cf9-rr43","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/security/advisories/GHSA-mgx6-5cf9-rr43"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2430027","reference_id":"2430027","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2430027"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0897","reference_id":"CVE-2026-0897","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0897"},{"reference_url":"https://github.com/advisories/GHSA-mgx6-5cf9-rr43","reference_id":"GHSA-mgx6-5cf9-rr43","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mgx6-5cf9-rr43"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3713","reference_id":"RHSA-2026:3713","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3713"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3782","reference_id":"RHSA-2026:3782","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3782"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4271","reference_id":"RHSA-2026:4271","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4271"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47088?format=json","purl":"pkg:pypi/keras@3.12.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-ptyp-n4df-aqf1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.12.1"},{"url":"http://public2.vulnerablecode.io/api/packages/47091?format=json","purl":"pkg:pypi/keras@3.13.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.13.1"},{"url":"http://public2.vulnerablecode.io/api/packages/74109?format=json","purl":"pkg:pypi/keras@3.13.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.13.2"}],"aliases":["CVE-2026-0897","GHSA-mgx6-5cf9-rr43","PYSEC-2026-73"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1xj9-1kng-8ua4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49274?format=json","vulnerability_id":"VCID-4mb7-t1tm-eqf8","summary":"Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hjqc-jx6g-rwp9. This link is maintained to preserve external references.\n\n### Original Description\nKeras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. The vulnerability arises because the function uses Python's tarfile.extractall() method without the security-critical filter='data' parameter. Although Keras attempts to filter unsafe paths using filter_safe_paths(), this filtering occurs before extraction, and a PATH_MAX symlink resolution bug triggers during extraction. This bug causes symlink resolution to fail due to path length limits, resulting in a security bypass that allows files to be written outside the intended extraction directory. This can lead to arbitrary file writes outside the cache directory, enabling potential system compromise or malicious code execution. The vulnerability affects Keras installations that process tar archives with get_file() and does not affect versions where this extraction method is secured with the appropriate filter parameter.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12638.json","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12638.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12638","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.0932","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12638"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12638","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12638"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951"},{"reference_url":"https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4","reference_id":"","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-11-28T15:07:39Z/"}],"url":"https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2417711","reference_id":"2417711","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2417711"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12638","reference_id":"CVE-2025-12638","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12638"},{"reference_url":"https://github.com/advisories/GHSA-9g7v-8wxv-mwxp","reference_id":"GHSA-9g7v-8wxv-mwxp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9g7v-8wxv-mwxp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23531","reference_id":"RHSA-2025:23531","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23531"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3713","reference_id":"RHSA-2026:3713","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3713"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4271","reference_id":"RHSA-2026:4271","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4271"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47087?format=json","purl":"pkg:pypi/keras@3.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.12.0"}],"aliases":["CVE-2025-12638","GHSA-9g7v-8wxv-mwxp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4mb7-t1tm-eqf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56790?format=json","vulnerability_id":"VCID-4tbn-aaek-rkb9","summary":"Duplicate Advisory: Keras arbitrary code execution vulnerability\n# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-48g7-3x6r-xfhp. This link is maintained to preserve external references.\n\n# Original Description\n\nThe Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading.","references":[{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/e67ac8ffd0c883bec68eb65bb52340c7f9d3a903","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/e67ac8ffd0c883bec68eb65bb52340c7f9d3a903"},{"reference_url":"https://github.com/keras-team/keras/pull/20751","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/pull/20751"},{"reference_url":"https://github.com/keras-team/keras/releases/tag/v3.9.0","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/releases/tag/v3.9.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-1550","reference_id":"CVE-2025-1550","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-1550"},{"reference_url":"https://github.com/advisories/GHSA-5478-v2w6-c6q7","reference_id":"GHSA-5478-v2w6-c6q7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5478-v2w6-c6q7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46353?format=json","purl":"pkg:pypi/keras@3.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-64yr-ww4w-ckdr"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-cmug-fp72-8qc4"},{"vulnerability":"VCID-d61w-bj6k-9kc9"},{"vulnerability":"VCID-dy5p-938j-d7fr"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-rgqk-3hht-h3dc"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.9.0"}],"aliases":["GHSA-5478-v2w6-c6q7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4tbn-aaek-rkb9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37114?format=json","vulnerability_id":"VCID-64yr-ww4w-ckdr","summary":"The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\n\nOne can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json (a file within the .keras archive) that will invoke keras.config.enable_unsafe_deserialization() to disable safe mode. Once safe mode is disable, one can use the Lambda layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization() needs to appear first in the archive and the Lambda with arbitrary code needs to be second.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9906.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9906.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-9906","reference_id":"","reference_type":"","scores":[{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.21169","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-9906"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9906","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9906"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858"},{"reference_url":"https://github.com/keras-team/keras/pull/21429","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-20T03:55:42Z/"}],"url":"https://github.com/keras-team/keras/pull/21429"},{"reference_url":"https://github.com/keras-team/keras/releases/tag/v3.11.0","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/releases/tag/v3.11.0"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-76.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-76.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2396644","reference_id":"2396644","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2396644"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9906","reference_id":"CVE-2025-9906","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9906"},{"reference_url":"https://osv.dev/vulnerability/CVE-2025-9906","reference_id":"CVE-2025-9906","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://osv.dev/vulnerability/CVE-2025-9906"},{"reference_url":"https://github.com/advisories/GHSA-36fq-jgmw-4r9c","reference_id":"GHSA-36fq-jgmw-4r9c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-36fq-jgmw-4r9c"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23531","reference_id":"RHSA-2025:23531","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23531"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46357?format=json","purl":"pkg:pypi/keras@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-cmug-fp72-8qc4"},{"vulnerability":"VCID-dy5p-938j-d7fr"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zj76-dr8t-47d2"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.0"}],"aliases":["CVE-2025-9906","GHSA-36fq-jgmw-4r9c","PYSEC-2025-76"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-64yr-ww4w-ckdr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62851?format=json","vulnerability_id":"VCID-aw3f-8xuy-d3gw","summary":"keras: Keras: Arbitrary Code Execution Vulnerability Bypassing Safe Mode","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1462.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1462.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1462","reference_id":"","reference_type":"","scores":[{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21716","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1462"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1462","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1462"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-13T18:53:01Z/"}],"url":"https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f"},{"reference_url":"https://github.com/keras-team/keras/pull/22035","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/pull/22035"},{"reference_url":"https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-13T18:53:01Z/"}],"url":"https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1462","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1462"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2457856","reference_id":"2457856","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2457856"},{"reference_url":"https://github.com/advisories/GHSA-4f3f-g24h-fr8m","reference_id":"GHSA-4f3f-g24h-fr8m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4f3f-g24h-fr8m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74109?format=json","purl":"pkg:pypi/keras@3.13.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.13.2"}],"aliases":["CVE-2026-1462","GHSA-4f3f-g24h-fr8m"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aw3f-8xuy-d3gw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48306?format=json","vulnerability_id":"VCID-c11z-ye25-k7eh","summary":"Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hjqc-jx6g-rwp9. This link is maintained to preserve external references.\n\n### Original Description\nThe keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter=\"data\" feature. A remote attacker can craft a malicious tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder. This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12).","references":[{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951"},{"reference_url":"https://github.com/keras-team/keras/pull/21760","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/pull/21760"},{"reference_url":"https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12060","reference_id":"CVE-2025-12060","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12060"},{"reference_url":"https://github.com/advisories/GHSA-28jp-44vh-q42h","reference_id":"GHSA-28jp-44vh-q42h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-28jp-44vh-q42h"},{"reference_url":"https://github.com/keras-team/keras/security/advisories/GHSA-hjqc-jx6g-rwp9","reference_id":"GHSA-hjqc-jx6g-rwp9","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/security/advisories/GHSA-hjqc-jx6g-rwp9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47087?format=json","purl":"pkg:pypi/keras@3.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.12.0"}],"aliases":["GHSA-28jp-44vh-q42h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c11z-ye25-k7eh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47819?format=json","vulnerability_id":"VCID-cmug-fp72-8qc4","summary":"Duplicate Advisory: The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-36rr-ww3j-vrjv. This link is maintained to preserve external references.\n\n### Original Description\nThe Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\n\nOne can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.\n\nThis is achieved by crafting a special .h5 archive file that uses the Lambda layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True option is not honored when reading .h5 archives.\n\nNote that the .h5/.hdf5 format is a legacy format supported by Keras 3 for backwards compatibility.","references":[{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/pull/21602","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/pull/21602"},{"reference_url":"https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9905","reference_id":"CVE-2025-9905","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9905"},{"reference_url":"https://github.com/advisories/GHSA-77wq-646f-jrm2","reference_id":"GHSA-77wq-646f-jrm2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-77wq-646f-jrm2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46360?format=json","purl":"pkg:pypi/keras@3.11.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.3"}],"aliases":["GHSA-77wq-646f-jrm2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cmug-fp72-8qc4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37104?format=json","vulnerability_id":"VCID-d61w-bj6k-9kc9","summary":"A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-8747","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01357","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-8747"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858"},{"reference_url":"https://github.com/keras-team/keras/pull/21429","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-11T13:31:26Z/"}],"url":"https://github.com/keras-team/keras/pull/21429"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-75.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-75.yaml"},{"reference_url":"https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability"},{"reference_url":"https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability/","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-11T13:31:26Z/"}],"url":"https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-8747","reference_id":"CVE-2025-8747","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-8747"},{"reference_url":"https://github.com/advisories/GHSA-c9rc-mg46-23w3","reference_id":"GHSA-c9rc-mg46-23w3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c9rc-mg46-23w3"},{"reference_url":"https://github.com/keras-team/keras/security/advisories/GHSA-c9rc-mg46-23w3","reference_id":"GHSA-c9rc-mg46-23w3","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/security/advisories/GHSA-c9rc-mg46-23w3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46357?format=json","purl":"pkg:pypi/keras@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-cmug-fp72-8qc4"},{"vulnerability":"VCID-dy5p-938j-d7fr"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zj76-dr8t-47d2"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.0"}],"aliases":["CVE-2025-8747","GHSA-c9rc-mg46-23w3","PYSEC-2025-75"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d61w-bj6k-9kc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37113?format=json","vulnerability_id":"VCID-dy5p-938j-d7fr","summary":"The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\n\nOne can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.\n\nThis is achieved by crafting a special .h5 archive file that uses the Lambda layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True option is not honored when reading .h5 archives.\n\nNote that the .h5/.hdf5 format is a legacy format supported by Keras 3 for backwards compatibility.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9905.json","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9905.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-9905","reference_id":"","reference_type":"","scores":[{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00706","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-9905"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9905","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9905"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/pull/21602","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-19T11:47:46Z/"}],"url":"https://github.com/keras-team/keras/pull/21602"},{"reference_url":"https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-19T11:47:46Z/"}],"url":"https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2396645","reference_id":"2396645","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2396645"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9905","reference_id":"CVE-2025-9905","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9905"},{"reference_url":"https://github.com/advisories/GHSA-36rr-ww3j-vrjv","reference_id":"GHSA-36rr-ww3j-vrjv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-36rr-ww3j-vrjv"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22759","reference_id":"RHSA-2025:22759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22759"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23531","reference_id":"RHSA-2025:23531","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23531"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46360?format=json","purl":"pkg:pypi/keras@3.11.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.3"}],"aliases":["CVE-2025-9905","GHSA-36rr-ww3j-vrjv","PYSEC-2025-123"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dy5p-938j-d7fr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36992?format=json","vulnerability_id":"VCID-gu8d-jjtb-zuau","summary":"The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1550.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1550.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-1550","reference_id":"","reference_type":"","scores":[{"value":"0.07973","scoring_system":"epss","scoring_elements":"0.9223","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-1550"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/e67ac8ffd0c883bec68eb65bb52340c7f9d3a903","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/e67ac8ffd0c883bec68eb65bb52340c7f9d3a903"},{"reference_url":"https://github.com/keras-team/keras/pull/20751","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-07-24T15:28:37Z/"}],"url":"https://github.com/keras-team/keras/pull/20751"},{"reference_url":"https://github.com/keras-team/keras/releases/tag/v3.9.0","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/releases/tag/v3.9.0"},{"reference_url":"https://towerofhanoi.it/writeups/cve-2025-1550/","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-07-24T15:28:37Z/"}],"url":"https://towerofhanoi.it/writeups/cve-2025-1550/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2351304","reference_id":"2351304","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2351304"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/52359.py","reference_id":"CVE-2025-1550","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/52359.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-1550","reference_id":"CVE-2025-1550","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-1550"},{"reference_url":"https://github.com/advisories/GHSA-48g7-3x6r-xfhp","reference_id":"GHSA-48g7-3x6r-xfhp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-48g7-3x6r-xfhp"},{"reference_url":"https://github.com/keras-team/keras/security/advisories/GHSA-48g7-3x6r-xfhp","reference_id":"GHSA-48g7-3x6r-xfhp","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/security/advisories/GHSA-48g7-3x6r-xfhp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44632?format=json","purl":"pkg:pypi/keras@3.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-4tbn-aaek-rkb9"},{"vulnerability":"VCID-64yr-ww4w-ckdr"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-cmug-fp72-8qc4"},{"vulnerability":"VCID-d61w-bj6k-9kc9"},{"vulnerability":"VCID-dy5p-938j-d7fr"},{"vulnerability":"VCID-gu8d-jjtb-zuau"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-rgqk-3hht-h3dc"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.8.0"},{"url":"http://public2.vulnerablecode.io/api/packages/46353?format=json","purl":"pkg:pypi/keras@3.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-64yr-ww4w-ckdr"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-cmug-fp72-8qc4"},{"vulnerability":"VCID-d61w-bj6k-9kc9"},{"vulnerability":"VCID-dy5p-938j-d7fr"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-rgqk-3hht-h3dc"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.9.0"}],"aliases":["CVE-2025-1550","GHSA-48g7-3x6r-xfhp","PYSEC-2025-122"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gu8d-jjtb-zuau"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48199?format=json","vulnerability_id":"VCID-h5tb-645a-3fdv","summary":"Keras is vulnerable to arbitrary local file loading and Server-Side Request Forgery\nThe Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF).\n\n\nThis vulnerability stems from the way the StringLookup layer is handled during model loading from a specially crafted .keras archive. The constructor for the StringLookup layer accepts a vocabulary argument that can specify a local file path or a remote file path.\n\n*  Arbitrary Local File Read: An attacker can create a malicious .keras file that embeds a local path in the StringLookup layer's configuration. When the model is loaded, Keras will attempt to read the content of the specified local file and incorporate it into the model state (e.g., retrievable via get_vocabulary()), allowing an attacker to read arbitrary local files on the hosting system.\n\n\n*  Server-Side Request Forgery (SSRF): Keras utilizes tf.io.gfile for file operations. Since tf.io.gfile supports remote filesystem handlers (such as GCS and HDFS) and HTTP/HTTPS protocols, the same mechanism can be leveraged to fetch content from arbitrary network endpoints on the server's behalf, resulting in an SSRF condition.\n\n\nThe security issue is that the feature allowing external path loading was not properly restricted by the safe_mode=True flag, which was intended to prevent such unintended data access.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12058.json","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12058.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12058","reference_id":"","reference_type":"","scores":[{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23509","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12058"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12058","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12058"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/61ac8c1e51862c471dee7b49029c356f55531487","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/61ac8c1e51862c471dee7b49029c356f55531487"},{"reference_url":"https://github.com/keras-team/keras/pull/21751","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-29T14:07:04Z/"}],"url":"https://github.com/keras-team/keras/pull/21751"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2025-12058","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cve.org/CVERecord?id=CVE-2025-12058"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2407019","reference_id":"2407019","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2407019"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12058","reference_id":"CVE-2025-12058","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12058"},{"reference_url":"https://github.com/advisories/GHSA-mq84-hjqx-cwf2","reference_id":"GHSA-mq84-hjqx-cwf2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mq84-hjqx-cwf2"},{"reference_url":"https://github.com/keras-team/keras/security/advisories/GHSA-qg93-c7p6-gg7f","reference_id":"GHSA-qg93-c7p6-gg7f","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-29T14:07:04Z/"}],"url":"https://github.com/keras-team/keras/security/advisories/GHSA-qg93-c7p6-gg7f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47087?format=json","purl":"pkg:pypi/keras@3.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.12.0"}],"aliases":["CVE-2025-12058","GHSA-mq84-hjqx-cwf2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h5tb-645a-3fdv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50119?format=json","vulnerability_id":"VCID-ptyp-n4df-aqf1","summary":"Duplicate Advisory: Keras vulnerable to arbitrary file read in the model loading mechanism (HDF5 integration)\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-3m4q-jmj6-r34q. This link is maintained to preserve external references.\n\n## Original Description\nArbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references.","references":[{"reference_url":"https://github.com/google/security-research/security/advisories","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/google/security-research/security/advisories"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1669","reference_id":"CVE-2026-1669","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1669"},{"reference_url":"https://github.com/advisories/GHSA-gfmx-qqqh-f38q","reference_id":"GHSA-gfmx-qqqh-f38q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gfmx-qqqh-f38q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74109?format=json","purl":"pkg:pypi/keras@3.13.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.13.2"}],"aliases":["GHSA-gfmx-qqqh-f38q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ptyp-n4df-aqf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57809?format=json","vulnerability_id":"VCID-rgqk-3hht-h3dc","summary":"Duplicate Advisory: Keras safe mode bypass vulnerability\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-c9rc-mg46-23w3. This link is maintained to preserve external references.\n\n### Original Description\nA safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive.","references":[{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858"},{"reference_url":"https://github.com/keras-team/keras/pull/21429","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/pull/21429"},{"reference_url":"https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-8747","reference_id":"CVE-2025-8747","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-8747"},{"reference_url":"https://github.com/advisories/GHSA-pwq7-2gvj-vg9v","reference_id":"GHSA-pwq7-2gvj-vg9v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pwq7-2gvj-vg9v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46357?format=json","purl":"pkg:pypi/keras@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-cmug-fp72-8qc4"},{"vulnerability":"VCID-dy5p-938j-d7fr"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zj76-dr8t-47d2"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.0"}],"aliases":["GHSA-pwq7-2gvj-vg9v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rgqk-3hht-h3dc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36956?format=json","vulnerability_id":"VCID-x454-t8qh-k7g1","summary":"An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-55459.json","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-55459.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-55459","reference_id":"","reference_type":"","scores":[{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35186","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-55459"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55459","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55459"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-08T17:32:15Z/"}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/blob/8f5592bcb61ff48c96560c8923e482db1076b54a/keras/src/utils/file_utils.py#L115","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/blob/8f5592bcb61ff48c96560c8923e482db1076b54a/keras/src/utils/file_utils.py#L115"},{"reference_url":"https://keras.io","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-08T17:32:15Z/"}],"url":"https://keras.io"},{"reference_url":"https://river-bicycle-f1e.notion.site/Arbitrary-File-Write-Vulnerability-in-get_file-function-11888e31952580179224e50892976d32","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-08T17:32:15Z/"}],"url":"https://river-bicycle-f1e.notion.site/Arbitrary-File-Write-Vulnerability-in-get_file-function-11888e31952580179224e50892976d32"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2336426","reference_id":"2336426","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2336426"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55459","reference_id":"CVE-2024-55459","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55459"},{"reference_url":"https://github.com/advisories/GHSA-cjgq-5qmw-rcj6","reference_id":"GHSA-cjgq-5qmw-rcj6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cjgq-5qmw-rcj6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44632?format=json","purl":"pkg:pypi/keras@3.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-4tbn-aaek-rkb9"},{"vulnerability":"VCID-64yr-ww4w-ckdr"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-cmug-fp72-8qc4"},{"vulnerability":"VCID-d61w-bj6k-9kc9"},{"vulnerability":"VCID-dy5p-938j-d7fr"},{"vulnerability":"VCID-gu8d-jjtb-zuau"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-rgqk-3hht-h3dc"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.8.0"}],"aliases":["CVE-2024-55459","GHSA-cjgq-5qmw-rcj6","PYSEC-2025-121"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x454-t8qh-k7g1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50212?format=json","vulnerability_id":"VCID-zsjb-zbnj-z3d8","summary":"Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading\nTensorFlow / Keras continues to honor HDF5 “external storage” and `ExternalLink` features when loading weights. A malicious `.weights.h5` (or a `.keras` archive embedding such weights) can direct `load_weights()` to read from an arbitrary readable filesystem path. The bytes pulled from that path populate model tensors and become observable through inference or subsequent re-save operations. Keras “safe mode” only guards object deserialization and does not cover weight I/O, so this behaviour persists even with safe mode enabled. The issue is confirmed on the latest publicly released stack (`tensorflow 2.20.0`, `keras 3.11.3`, `h5py 3.15.1`, `numpy 2.3.4`).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1669.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1669.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1669","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02902","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1669"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1669","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1669"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/8a37f9dadd8e23fa4ee3f537eeb6413e75d12553","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/8a37f9dadd8e23fa4ee3f537eeb6413e75d12553"},{"reference_url":"https://github.com/keras-team/keras/pull/22057","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/pull/22057"},{"reference_url":"https://github.com/keras-team/keras/releases/tag/v3.12.1","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/releases/tag/v3.12.1"},{"reference_url":"https://github.com/keras-team/keras/releases/tag/v3.13.2","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/releases/tag/v3.13.2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2439205","reference_id":"2439205","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2439205"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1669","reference_id":"CVE-2026-1669","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1669"},{"reference_url":"https://github.com/advisories/GHSA-3m4q-jmj6-r34q","reference_id":"GHSA-3m4q-jmj6-r34q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3m4q-jmj6-r34q"},{"reference_url":"https://github.com/keras-team/keras/security/advisories/GHSA-3m4q-jmj6-r34q","reference_id":"GHSA-3m4q-jmj6-r34q","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/security/advisories/GHSA-3m4q-jmj6-r34q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47088?format=json","purl":"pkg:pypi/keras@3.12.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-ptyp-n4df-aqf1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.12.1"},{"url":"http://public2.vulnerablecode.io/api/packages/74109?format=json","purl":"pkg:pypi/keras@3.13.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.13.2"}],"aliases":["CVE-2026-1669","GHSA-3m4q-jmj6-r34q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zsjb-zbnj-z3d8"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.1.1"}