Critical severity9.8GHSA Advisory· Published Oct 17, 2025· Updated Apr 15, 2026

CVE-2025-49655

Description

Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
kerasPyPI	>= 3.11.0, < 3.11.3	3.11.3

Affected products

Keras Team/KerasGHSA
Range: >= 3.11.0, < 3.11.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-cvhh-q5g5-qprpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-49655ghsaADVISORY
github.com/keras-team/keras/pull/21575nvdWEB
hiddenlayer.com/sai_security_advisor/2025-10-kerasghsaWEB
hiddenlayer.com/sai_security_advisor/2025-10-keras/nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000