PyPI package
keras
pkg:pypi/keras
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-1462 | Hig | 8.8 | < 3.13.2 | 3.13.2 | Apr 13, 2026 | A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables | |
| CVE-2026-1669 | — | >= 3.13.0, < 3.13.2 | 3.13.2 | Feb 11, 2026 | Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset | ||
| CVE-2026-0897 | — | >= 3.0.0, < 3.12.1 | 3.12.1 | Jan 15, 2026 | Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafte | ||
| CVE-2025-12638 | Hig | 8.0 | < 3.12.0 | 3.12.0 | Nov 28, 2025 | Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. The vulnerability arises because the function uses Python's tarfile.extractall() method without the security-critical filter='data' parameter. A | |
| CVE-2025-12060 | Hig | — | < 3.12.0 | 3.12.0 | Oct 30, 2025 | The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive c | |
| CVE-2025-12058 | Med | — | < 3.12.0 | 3.12.0 | Oct 29, 2025 | The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF). This vulnerability stems from the way the StringLookup layer is handled during | |
| CVE-2025-49655 | Cri | 9.8 | >= 3.11.0, < 3.11.3 | 3.11.3 | Oct 17, 2025 | Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despit | |
| CVE-2025-9905 | — | >= 3.0.0, < 3.11.3 | 3.11.3 | Sep 19, 2025 | The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by c | ||
| CVE-2025-9906 | — | < 3.11.0 | 3.11.0 | Sep 19, 2025 | The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by craft | ||
| CVE-2025-8747 | — | >= 3.0.0, < 3.11.0 | 3.11.0 | Aug 11, 2025 | A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive. | ||
| CVE-2025-1550 | — | >= 3.0.0, < 3.9.0 | 3.9.0 | Mar 11, 2025 | The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along wit | ||
| CVE-2024-55459 | — | <= 3.7.0 | — | Jan 8, 2025 | An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function. | ||
| CVE-2024-3660 | — | < 2.13.1rc0 | 2.13.1rc0 | Apr 16, 2024 | A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application. |
- affected < 3.13.2fixed 3.13.2
A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables
- CVE-2026-1669Feb 11, 2026affected >= 3.13.0, < 3.13.2fixed 3.13.2
Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset
- CVE-2026-0897Jan 15, 2026affected >= 3.0.0, < 3.12.1fixed 3.12.1
Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafte
- affected < 3.12.0fixed 3.12.0
Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. The vulnerability arises because the function uses Python's tarfile.extractall() method without the security-critical filter='data' parameter. A
- affected < 3.12.0fixed 3.12.0
The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive c
- affected < 3.12.0fixed 3.12.0
The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF). This vulnerability stems from the way the StringLookup layer is handled during
- affected >= 3.11.0, < 3.11.3fixed 3.11.3
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despit
- CVE-2025-9905Sep 19, 2025affected >= 3.0.0, < 3.11.3fixed 3.11.3
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by c
- CVE-2025-9906Sep 19, 2025affected < 3.11.0fixed 3.11.0
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by craft
- CVE-2025-8747Aug 11, 2025affected >= 3.0.0, < 3.11.0fixed 3.11.0
A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive.
- CVE-2025-1550Mar 11, 2025affected >= 3.0.0, < 3.9.0fixed 3.9.0
The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along wit
- CVE-2024-55459Jan 8, 2025affected <= 3.7.0
An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.
- CVE-2024-3660Apr 16, 2024affected < 2.13.1rc0fixed 2.13.1rc0
A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application.