SB2025111724 - Multiple vulnerabilities in Keras

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-12058)

The disclosed vulnerability allows a remote user to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input passed via a specially crafted .keras archive within the Keras.Model.load_model method. A remote user can upload a malicious .keras file that embeds a local or remote path in the StringLookup layer's configuration and trick the application to initiate requests to arbitrary files or external systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Note, the vulnerability can be exploited even with the "safe_mode=True" flag.

2) Path traversal (CVE-ID: CVE-2025-12060)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error in keras.utils.get_file API when used with the extract=True option for tar archives. A remote user can supply a malicious .tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder.

Remediation

Install update from vendor's website.

References

• https://github.com/keras-team/keras/releases/tag/v3.12.0
• https://github.com/advisories/GHSA-mq84-hjqx-cwf2
• https://github.com/keras-team/keras/security/advisories/GHSA-qg93-c7p6-gg7f
• https://github.com/advisories/GHSA-28jp-44vh-q42h
• https://github.com/keras-team/keras/security/advisories/GHSA-hjqc-jx6g-rwp9