{"url":"http://public2.vulnerablecode.io/api/packages/732391?format=json","purl":"pkg:pypi/keras@1.2.2","type":"pypi","namespace":"","name":"keras","version":"1.2.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.13.2","latest_non_vulnerable_version":"3.13.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49319?format=json","vulnerability_id":"VCID-1wr2-9bym-kke5","summary":"Keras Directory Traversal Vulnerability\nKeras's `keras.utils.get_file()` function is vulnerable to directory traversal attacks despite implementing `filter_safe_paths()`. The vulnerability exists because `extract_archive()` uses Python's `tarfile.extractall()` method without the security-critical `filter=\"data\"` parameter. A PATH_MAX symlink resolution bug occurs before path filtering, allowing malicious tar archives to bypass security checks and write files outside the intended extraction directory.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12060.json","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12060.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12060","reference_id":"","reference_type":"","scores":[{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28003","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28132","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28083","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00105","scoring_system":"epss","scoring_elements":"0.28046","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12060"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12060","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12060"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951"},{"reference_url":"https://github.com/keras-team/keras/pull/21760","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-01T03:55:52Z/"}],"url":"https://github.com/keras-team/keras/pull/21760"},{"reference_url":"https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2407443","reference_id":"2407443","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2407443"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12060","reference_id":"CVE-2025-12060","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12060"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12638","reference_id":"CVE-2025-12638","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12638"},{"reference_url":"https://github.com/advisories/GHSA-hjqc-jx6g-rwp9","reference_id":"GHSA-hjqc-jx6g-rwp9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hjqc-jx6g-rwp9"},{"reference_url":"https://github.com/keras-team/keras/security/advisories/GHSA-hjqc-jx6g-rwp9","reference_id":"GHSA-hjqc-jx6g-rwp9","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-01T03:55:52Z/"}],"url":"https://github.com/keras-team/keras/security/advisories/GHSA-hjqc-jx6g-rwp9"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22759","reference_id":"RHSA-2025:22759","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22759"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23531","reference_id":"RHSA-2025:23531","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23531"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47087?format=json","purl":"pkg:pypi/keras@3.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.12.0"}],"aliases":["CVE-2025-12060","GHSA-hjqc-jx6g-rwp9"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1wr2-9bym-kke5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47487?format=json","vulnerability_id":"VCID-3sjs-86sn-fbe2","summary":"Keras code injection vulnerability\nA arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3660","reference_id":"","reference_type":"","scores":[{"value":"0.0037","scoring_system":"epss","scoring_elements":"0.59211","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0037","scoring_system":"epss","scoring_elements":"0.59186","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0037","scoring_system":"epss","scoring_elements":"0.59203","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0037","scoring_system":"epss","scoring_elements":"0.59207","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3660"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3660","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3660"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/compare/r2.12...r2.13","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/compare/r2.12...r2.13"},{"reference_url":"https://kb.cert.org/vuls/id/253266","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-07-29T19:29:38Z/"}],"url":"https://kb.cert.org/vuls/id/253266"},{"reference_url":"https://www.kb.cert.org/vuls/id/253266","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-07-29T19:29:38Z/"}],"url":"https://www.kb.cert.org/vuls/id/253266"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3660","reference_id":"CVE-2024-3660","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3660"},{"reference_url":"https://github.com/advisories/GHSA-x4wf-678h-2pmq","reference_id":"GHSA-x4wf-678h-2pmq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x4wf-678h-2pmq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69795?format=json","purl":"pkg:pypi/keras@2.13.1rc0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-4tbn-aaek-rkb9"},{"vulnerability":"VCID-64yr-ww4w-ckdr"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-x454-t8qh-k7g1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@2.13.1rc0"}],"aliases":["CVE-2024-3660","GHSA-x4wf-678h-2pmq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3sjs-86sn-fbe2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49274?format=json","vulnerability_id":"VCID-4mb7-t1tm-eqf8","summary":"Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hjqc-jx6g-rwp9. This link is maintained to preserve external references.\n\n### Original Description\nKeras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. The vulnerability arises because the function uses Python's tarfile.extractall() method without the security-critical filter='data' parameter. Although Keras attempts to filter unsafe paths using filter_safe_paths(), this filtering occurs before extraction, and a PATH_MAX symlink resolution bug triggers during extraction. This bug causes symlink resolution to fail due to path length limits, resulting in a security bypass that allows files to be written outside the intended extraction directory. This can lead to arbitrary file writes outside the cache directory, enabling potential system compromise or malicious code execution. The vulnerability affects Keras installations that process tar archives with get_file() and does not affect versions where this extraction method is secured with the appropriate filter parameter.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12638.json","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12638.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12638","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09264","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.0932","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09339","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09324","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12638"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12638","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12638"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951"},{"reference_url":"https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4","reference_id":"","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-11-28T15:07:39Z/"}],"url":"https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2417711","reference_id":"2417711","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2417711"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12638","reference_id":"CVE-2025-12638","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12638"},{"reference_url":"https://github.com/advisories/GHSA-9g7v-8wxv-mwxp","reference_id":"GHSA-9g7v-8wxv-mwxp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9g7v-8wxv-mwxp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23531","reference_id":"RHSA-2025:23531","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23531"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3713","reference_id":"RHSA-2026:3713","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3713"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4271","reference_id":"RHSA-2026:4271","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4271"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47087?format=json","purl":"pkg:pypi/keras@3.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.12.0"}],"aliases":["CVE-2025-12638","GHSA-9g7v-8wxv-mwxp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4mb7-t1tm-eqf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56790?format=json","vulnerability_id":"VCID-4tbn-aaek-rkb9","summary":"Duplicate Advisory: Keras arbitrary code execution vulnerability\n# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-48g7-3x6r-xfhp. This link is maintained to preserve external references.\n\n# Original Description\n\nThe Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading.","references":[{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/e67ac8ffd0c883bec68eb65bb52340c7f9d3a903","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/e67ac8ffd0c883bec68eb65bb52340c7f9d3a903"},{"reference_url":"https://github.com/keras-team/keras/pull/20751","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/pull/20751"},{"reference_url":"https://github.com/keras-team/keras/releases/tag/v3.9.0","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/releases/tag/v3.9.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-1550","reference_id":"CVE-2025-1550","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-1550"},{"reference_url":"https://github.com/advisories/GHSA-5478-v2w6-c6q7","reference_id":"GHSA-5478-v2w6-c6q7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5478-v2w6-c6q7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46353?format=json","purl":"pkg:pypi/keras@3.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-64yr-ww4w-ckdr"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-cmug-fp72-8qc4"},{"vulnerability":"VCID-d61w-bj6k-9kc9"},{"vulnerability":"VCID-dy5p-938j-d7fr"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-rgqk-3hht-h3dc"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.9.0"}],"aliases":["GHSA-5478-v2w6-c6q7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4tbn-aaek-rkb9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37114?format=json","vulnerability_id":"VCID-64yr-ww4w-ckdr","summary":"The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\n\nOne can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json (a file within the .keras archive) that will invoke keras.config.enable_unsafe_deserialization() to disable safe mode. Once safe mode is disable, one can use the Lambda layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization() needs to appear first in the archive and the Lambda with arbitrary code needs to be second.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9906.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-9906.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-9906","reference_id":"","reference_type":"","scores":[{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.21156","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.21169","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.21048","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.21112","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-9906"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9906","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9906"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858"},{"reference_url":"https://github.com/keras-team/keras/pull/21429","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-09-20T03:55:42Z/"}],"url":"https://github.com/keras-team/keras/pull/21429"},{"reference_url":"https://github.com/keras-team/keras/releases/tag/v3.11.0","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/releases/tag/v3.11.0"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-76.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-76.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2396644","reference_id":"2396644","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2396644"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9906","reference_id":"CVE-2025-9906","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9906"},{"reference_url":"https://osv.dev/vulnerability/CVE-2025-9906","reference_id":"CVE-2025-9906","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://osv.dev/vulnerability/CVE-2025-9906"},{"reference_url":"https://github.com/advisories/GHSA-36fq-jgmw-4r9c","reference_id":"GHSA-36fq-jgmw-4r9c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-36fq-jgmw-4r9c"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23531","reference_id":"RHSA-2025:23531","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23531"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46357?format=json","purl":"pkg:pypi/keras@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-cmug-fp72-8qc4"},{"vulnerability":"VCID-dy5p-938j-d7fr"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zj76-dr8t-47d2"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.11.0"}],"aliases":["CVE-2025-9906","GHSA-36fq-jgmw-4r9c","PYSEC-2025-76"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-64yr-ww4w-ckdr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62851?format=json","vulnerability_id":"VCID-aw3f-8xuy-d3gw","summary":"keras: Keras: Arbitrary Code Execution Vulnerability Bypassing Safe Mode","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1462.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1462.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1462","reference_id":"","reference_type":"","scores":[{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.216","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21716","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21703","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21659","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1462"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1462","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1462"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-13T18:53:01Z/"}],"url":"https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f"},{"reference_url":"https://github.com/keras-team/keras/pull/22035","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/pull/22035"},{"reference_url":"https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-13T18:53:01Z/"}],"url":"https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1462","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1462"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2457856","reference_id":"2457856","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2457856"},{"reference_url":"https://github.com/advisories/GHSA-4f3f-g24h-fr8m","reference_id":"GHSA-4f3f-g24h-fr8m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4f3f-g24h-fr8m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74109?format=json","purl":"pkg:pypi/keras@3.13.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.13.2"}],"aliases":["CVE-2026-1462","GHSA-4f3f-g24h-fr8m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aw3f-8xuy-d3gw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48306?format=json","vulnerability_id":"VCID-c11z-ye25-k7eh","summary":"Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hjqc-jx6g-rwp9. This link is maintained to preserve external references.\n\n### Original Description\nThe keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter=\"data\" feature. A remote attacker can craft a malicious tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder. This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12).","references":[{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951"},{"reference_url":"https://github.com/keras-team/keras/pull/21760","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/pull/21760"},{"reference_url":"https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12060","reference_id":"CVE-2025-12060","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12060"},{"reference_url":"https://github.com/advisories/GHSA-28jp-44vh-q42h","reference_id":"GHSA-28jp-44vh-q42h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-28jp-44vh-q42h"},{"reference_url":"https://github.com/keras-team/keras/security/advisories/GHSA-hjqc-jx6g-rwp9","reference_id":"GHSA-hjqc-jx6g-rwp9","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/security/advisories/GHSA-hjqc-jx6g-rwp9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47087?format=json","purl":"pkg:pypi/keras@3.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.12.0"}],"aliases":["GHSA-28jp-44vh-q42h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c11z-ye25-k7eh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48199?format=json","vulnerability_id":"VCID-h5tb-645a-3fdv","summary":"Keras is vulnerable to arbitrary local file loading and Server-Side Request Forgery\nThe Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF).\n\n\nThis vulnerability stems from the way the StringLookup layer is handled during model loading from a specially crafted .keras archive. The constructor for the StringLookup layer accepts a vocabulary argument that can specify a local file path or a remote file path.\n\n*  Arbitrary Local File Read: An attacker can create a malicious .keras file that embeds a local path in the StringLookup layer's configuration. When the model is loaded, Keras will attempt to read the content of the specified local file and incorporate it into the model state (e.g., retrievable via get_vocabulary()), allowing an attacker to read arbitrary local files on the hosting system.\n\n\n*  Server-Side Request Forgery (SSRF): Keras utilizes tf.io.gfile for file operations. Since tf.io.gfile supports remote filesystem handlers (such as GCS and HDFS) and HTTP/HTTPS protocols, the same mechanism can be leveraged to fetch content from arbitrary network endpoints on the server's behalf, resulting in an SSRF condition.\n\n\nThe security issue is that the feature allowing external path loading was not properly restricted by the safe_mode=True flag, which was intended to prevent such unintended data access.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12058.json","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12058.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12058","reference_id":"","reference_type":"","scores":[{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23393","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23509","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23493","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23447","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12058"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12058","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12058"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/commit/61ac8c1e51862c471dee7b49029c356f55531487","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/commit/61ac8c1e51862c471dee7b49029c356f55531487"},{"reference_url":"https://github.com/keras-team/keras/pull/21751","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-29T14:07:04Z/"}],"url":"https://github.com/keras-team/keras/pull/21751"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2025-12058","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cve.org/CVERecord?id=CVE-2025-12058"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2407019","reference_id":"2407019","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2407019"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12058","reference_id":"CVE-2025-12058","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12058"},{"reference_url":"https://github.com/advisories/GHSA-mq84-hjqx-cwf2","reference_id":"GHSA-mq84-hjqx-cwf2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mq84-hjqx-cwf2"},{"reference_url":"https://github.com/keras-team/keras/security/advisories/GHSA-qg93-c7p6-gg7f","reference_id":"GHSA-qg93-c7p6-gg7f","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-29T14:07:04Z/"}],"url":"https://github.com/keras-team/keras/security/advisories/GHSA-qg93-c7p6-gg7f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47087?format=json","purl":"pkg:pypi/keras@3.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.12.0"}],"aliases":["CVE-2025-12058","GHSA-mq84-hjqx-cwf2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h5tb-645a-3fdv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36956?format=json","vulnerability_id":"VCID-x454-t8qh-k7g1","summary":"An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-55459.json","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-55459.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-55459","reference_id":"","reference_type":"","scores":[{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35201","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35186","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35129","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35164","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-55459"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55459","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55459"},{"reference_url":"https://github.com/keras-team/keras","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-08T17:32:15Z/"}],"url":"https://github.com/keras-team/keras"},{"reference_url":"https://github.com/keras-team/keras/blob/8f5592bcb61ff48c96560c8923e482db1076b54a/keras/src/utils/file_utils.py#L115","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/keras-team/keras/blob/8f5592bcb61ff48c96560c8923e482db1076b54a/keras/src/utils/file_utils.py#L115"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-121.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-121.yaml"},{"reference_url":"https://keras.io","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-08T17:32:15Z/"}],"url":"https://keras.io"},{"reference_url":"https://river-bicycle-f1e.notion.site/Arbitrary-File-Write-Vulnerability-in-get_file-function-11888e31952580179224e50892976d32","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-08T17:32:15Z/"}],"url":"https://river-bicycle-f1e.notion.site/Arbitrary-File-Write-Vulnerability-in-get_file-function-11888e31952580179224e50892976d32"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2336426","reference_id":"2336426","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2336426"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55459","reference_id":"CVE-2024-55459","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55459"},{"reference_url":"https://github.com/advisories/GHSA-cjgq-5qmw-rcj6","reference_id":"GHSA-cjgq-5qmw-rcj6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cjgq-5qmw-rcj6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44632?format=json","purl":"pkg:pypi/keras@3.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wr2-9bym-kke5"},{"vulnerability":"VCID-1xj9-1kng-8ua4"},{"vulnerability":"VCID-4mb7-t1tm-eqf8"},{"vulnerability":"VCID-4tbn-aaek-rkb9"},{"vulnerability":"VCID-64yr-ww4w-ckdr"},{"vulnerability":"VCID-aw3f-8xuy-d3gw"},{"vulnerability":"VCID-c11z-ye25-k7eh"},{"vulnerability":"VCID-cmug-fp72-8qc4"},{"vulnerability":"VCID-d61w-bj6k-9kc9"},{"vulnerability":"VCID-dy5p-938j-d7fr"},{"vulnerability":"VCID-gu8d-jjtb-zuau"},{"vulnerability":"VCID-h5tb-645a-3fdv"},{"vulnerability":"VCID-ptyp-n4df-aqf1"},{"vulnerability":"VCID-rgqk-3hht-h3dc"},{"vulnerability":"VCID-zsjb-zbnj-z3d8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@3.8.0"}],"aliases":["CVE-2024-55459","GHSA-cjgq-5qmw-rcj6","PYSEC-2025-121"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x454-t8qh-k7g1"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keras@1.2.2"}