VYPR

Keras

by Keras Team

pypi: keras

Source repositories

CVEs (10)

  • CVE-2025-49655CriOct 17, 2025
    risk 0.57cvss 9.8epss 0.01

    Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded…

  • CVE-2025-12060HigOct 30, 2025
    risk 0.51cvss epss 0.01

    The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive…

  • CVE-2026-1462HigApr 13, 2026
    risk 0.50cvss 8.8epss 0.00

    A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables…

  • CVE-2026-11816HigJun 11, 2026
    risk 0.46cvss 8.1epss 0.00

    Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` validate archive member paths against the process current…

  • CVE-2025-12638HigNov 28, 2025
    risk 0.45cvss 8.0epss 0.01

    Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. The vulnerability arises because the function uses Python's tarfile.extractall() method without the security-critical filter='data' parameter.…

  • CVE-2025-12058MedOct 29, 2025
    risk 0.31cvss epss 0.00

    The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF). This vulnerability stems from the way the StringLookup layer is handled during…

  • CVE-2026-12479Jun 22, 2026
    risk 0.00cvss epss 0.00

    A path traversal vulnerability exists in keras-team/keras version 3.14.0, specifically in the `DiskIOStore.make` method within the Keras 3 model saving and loading library. This vulnerability arises from the improper handling of user-provided layer names, which are used to…

  • CVE-2026-0897Jan 15, 2026
    risk 0.00cvss epss 0.00

    Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via…

  • CVE-2025-9905Sep 19, 2025
    risk 0.00cvss epss 0.00

    The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved…

  • CVE-2025-9906Sep 19, 2025
    risk 0.00cvss epss 0.00

    The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by…