Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
AV:L because the path traversal triggers during local model load/save; UI:R because victim must actively open the crafted model; S:C reflects file writes escaping the intended Keras temporary directory boundary.
Primary rating from Vendor (huntr_ai).
CVSS VectorVendor: huntr_ai
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
A path traversal vulnerability exists in keras-team/keras version 3.14.0, specifically in the DiskIOStore.make method within the Keras 3 model saving and loading library. This vulnerability arises from the improper handling of user-provided layer names, which are used to construct directory paths without sanitizing for parent directory components (..). While forward slashes (/) are restricted in layer names, directory traversal sequences are not. This allows an attacker to craft a malicious Keras model that, when saved or loaded, can escape the intended temporary working directory and perform unauthorized file system operations, such as creating directories or writing files in arbitrary locations.
AnalysisAI
Path traversal in Keras 3.14.0 exposes local file systems to arbitrary file and directory creation when processing maliciously crafted model files. The DiskIOStore.make method constructs directory paths from user-supplied layer names without sanitizing directory traversal sequences (..); since only forward slashes are blocked, embedding .. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a victim explicitly invoke a Keras model save or load operation - specifically any code path that exercises DiskIOStore.make - against a model file containing layer names with directory traversal sequences (.. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:C) reflects a local attack vector with user interaction required and a changed scope - the scope change is the key elevating factor, as writes can escape the Keras temporary directory and affect the broader file system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a research model to a public repository (e.g., Hugging Face Hub or a GitHub release) where layer names contain traversal sequences such as ../../.config/autostart/backdoor or similar paths meaningful to the target OS. A data scientist or ML engineer downloads and loads the model using Keras 3.14.0 as part of routine experimentation; during the load operation, DiskIOStore.make constructs a path using the malicious layer name and writes a file outside the intended temporary directory to the attacker-controlled path. … |
| Remediation | No vendor-released patch or confirmed fixed version is identified in the available data - patch availability is unknown at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Keras Team Keras
View allArbitrary code execution in keras-team/keras 3.14.0 lets remote attackers run OS-level commands by supplying a malicious
Arbitrary code execution in Keras 3.13.0 occurs because the TFSMLayer class unconditionally loads attacker-supplied Tens
Symlink entries in malicious tar archives bypass the `filter_safe_tarinfos` validation in Keras 3.12.0, enabling directo
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38265
GHSA-gh82-f9x8-5frx