#VU118557 Path traversal in Keras - CVE-2025-12060
Published: November 17, 2025 / Updated: December 3, 2025
Vulnerability identifier: #VU118557
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-12060
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Keras
Keras
Software vendor:
Keras
Keras
Description
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error in keras.utils.get_file API when used with the extract=True option for tar archives. A remote user can supply a malicious .tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder.
Remediation
Install updates from vendor's website.