Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/keras@3.11.0
Typepypi
Namespace
Namekeras
Version3.11.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-1xj9-1kng-8ua4
vulnerability_id VCID-1xj9-1kng-8ua4
summary Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.
references
0
reference_url https://github.com/keras-team/keras/pull/21880
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/keras-team/keras/pull/21880
fixed_packages
0
url pkg:pypi/keras@3.13.1
purl pkg:pypi/keras@3.13.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ptyp-n4df-aqf1
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.13.1
aliases CVE-2026-0897, PYSEC-2026-73
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1xj9-1kng-8ua4
1
url VCID-dy5p-938j-d7fr
vulnerability_id VCID-dy5p-938j-d7fr
summary 
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True.

One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.

This is achieved by crafting a special .h5 archive file that uses the Lambda layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True option is not honored when reading .h5 archives.

Note that the .h5/.hdf5 format is a legacy format supported by Keras 3 for backwards compatibility.
references
0
reference_url https://github.com/keras-team/keras
reference_id
reference_type
scores
url https://github.com/keras-team/keras
1
reference_url https://github.com/keras-team/keras/pull/21602
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://github.com/keras-team/keras/pull/21602
2
reference_url https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-9905
reference_id CVE-2025-9905
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-9905
4
reference_url https://github.com/advisories/GHSA-36rr-ww3j-vrjv
reference_id GHSA-36rr-ww3j-vrjv
reference_type
scores
url https://github.com/advisories/GHSA-36rr-ww3j-vrjv
fixed_packages
0
url pkg:pypi/keras@3.11.3
purl pkg:pypi/keras@3.11.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1xj9-1kng-8ua4
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.3
aliases CVE-2025-9905, GHSA-36rr-ww3j-vrjv, PYSEC-2025-123
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dy5p-938j-d7fr
2
url VCID-zj76-dr8t-47d2
vulnerability_id VCID-zj76-dr8t-47d2
summary 
Keras framework vulnerable to deserialization of untrusted data
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
references
0
reference_url https://github.com/keras-team/keras
reference_id
reference_type
scores
url https://github.com/keras-team/keras
1
reference_url https://github.com/keras-team/keras/pull/21575
reference_id
reference_type
scores
url https://github.com/keras-team/keras/pull/21575
2
reference_url https://hiddenlayer.com/sai_security_advisor/2025-10-keras
reference_id
reference_type
scores
url https://hiddenlayer.com/sai_security_advisor/2025-10-keras
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-49655
reference_id CVE-2025-49655
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-49655
4
reference_url https://github.com/advisories/GHSA-cvhh-q5g5-qprp
reference_id GHSA-cvhh-q5g5-qprp
reference_type
scores
url https://github.com/advisories/GHSA-cvhh-q5g5-qprp
fixed_packages
0
url pkg:pypi/keras@3.11.3
purl pkg:pypi/keras@3.11.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1xj9-1kng-8ua4
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.3
aliases CVE-2025-49655, GHSA-cvhh-q5g5-qprp
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zj76-dr8t-47d2
Fixing_vulnerabilities
0
url VCID-64yr-ww4w-ckdr
vulnerability_id VCID-64yr-ww4w-ckdr
summary 
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True.

One can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json (a file within the .keras archive) that will invoke keras.config.enable_unsafe_deserialization() to disable safe mode. Once safe mode is disable, one can use the Lambda layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization() needs to appear first in the archive and the Lambda with arbitrary code needs to be second.
references
0
reference_url https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858
reference_id
reference_type
scores
url https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858
1
reference_url https://github.com/keras-team/keras/pull/21429
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
url https://github.com/keras-team/keras/pull/21429
2
reference_url https://github.com/keras-team/keras/releases/tag/v3.11.0
reference_id
reference_type
scores
url https://github.com/keras-team/keras/releases/tag/v3.11.0
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-76.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-76.yaml
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-9906
reference_id CVE-2025-9906
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-9906
5
reference_url https://osv.dev/vulnerability/CVE-2025-9906
reference_id CVE-2025-9906
reference_type
scores
url https://osv.dev/vulnerability/CVE-2025-9906
6
reference_url https://github.com/advisories/GHSA-36fq-jgmw-4r9c
reference_id GHSA-36fq-jgmw-4r9c
reference_type
scores
url https://github.com/advisories/GHSA-36fq-jgmw-4r9c
fixed_packages
0
url pkg:pypi/keras@3.11.0
purl pkg:pypi/keras@3.11.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1xj9-1kng-8ua4
1
vulnerability VCID-dy5p-938j-d7fr
2
vulnerability VCID-zj76-dr8t-47d2
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.0
aliases CVE-2025-9906, GHSA-36fq-jgmw-4r9c, PYSEC-2025-76
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-64yr-ww4w-ckdr
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.0