Keras Team Keras
Monthly
Symlink entries in malicious tar archives bypass the `filter_safe_tarinfos` validation in Keras 3.12.0, enabling directory escape that can read or overwrite arbitrary files on the host filesystem. The root defect is in `keras/src/utils/file_utils.py`, where `is_path_in_dir` path containment checks are applied only to regular file entries - symlink entries are extracted without equivalent validation. The exposure is most severe on Python 3.10 and 3.11, where `filter_safe_tarinfos` is the sole extraction safeguard; no public exploit or active exploitation has been identified at time of analysis.
Arbitrary code execution in keras-team/keras 3.14.0 lets remote attackers run OS-level commands by supplying a malicious serialized `Lambda` layer that is deserialized without an active `SafeModeScope`. The root cause is `_raise_for_lambda_deserialization()` treating a `None` `safe_mode` (the default when `from_config()` runs outside a `SafeModeScope`) as if it were an explicit `False`, so the safe-mode guard is skipped and attacker-controlled `marshal` bytecode executes. SSVC rates technical impact as total with a proof-of-concept available; EPSS is modest at 0.40% (32nd percentile), and the flaw is not in CISA KEV.
Path traversal in Keras 3.14.0 exposes local file systems to arbitrary file and directory creation when processing maliciously crafted model files. The DiskIOStore.make method constructs directory paths from user-supplied layer names without sanitizing directory traversal sequences (..); since only forward slashes are blocked, embedding .. components in a layer name allows escape from the intended temporary working directory during model save or load operations. No active exploitation (CISA KEV) and no public proof-of-concept has been identified at time of analysis; however, EPSS data was not provided, leaving probabilistic exploitation likelihood unquantified.
Arbitrary code execution in Keras 3.13.0 occurs because the TFSMLayer class unconditionally loads attacker-supplied TensorFlow SavedModels while deserializing a .keras model, even with safe_mode=True engaged. Any user who loads a malicious model triggers attacker-controlled code at inference time under their own privileges, defeating the protection safe_mode is supposed to provide. The flaw (CWE-502) has publicly available exploit code via huntr but is not in CISA KEV; EPSS is very low at 0.06% (19th percentile), consistent with the local, user-interaction-dependent attack path.
Symlink entries in malicious tar archives bypass the `filter_safe_tarinfos` validation in Keras 3.12.0, enabling directory escape that can read or overwrite arbitrary files on the host filesystem. The root defect is in `keras/src/utils/file_utils.py`, where `is_path_in_dir` path containment checks are applied only to regular file entries - symlink entries are extracted without equivalent validation. The exposure is most severe on Python 3.10 and 3.11, where `filter_safe_tarinfos` is the sole extraction safeguard; no public exploit or active exploitation has been identified at time of analysis.
Arbitrary code execution in keras-team/keras 3.14.0 lets remote attackers run OS-level commands by supplying a malicious serialized `Lambda` layer that is deserialized without an active `SafeModeScope`. The root cause is `_raise_for_lambda_deserialization()` treating a `None` `safe_mode` (the default when `from_config()` runs outside a `SafeModeScope`) as if it were an explicit `False`, so the safe-mode guard is skipped and attacker-controlled `marshal` bytecode executes. SSVC rates technical impact as total with a proof-of-concept available; EPSS is modest at 0.40% (32nd percentile), and the flaw is not in CISA KEV.
Path traversal in Keras 3.14.0 exposes local file systems to arbitrary file and directory creation when processing maliciously crafted model files. The DiskIOStore.make method constructs directory paths from user-supplied layer names without sanitizing directory traversal sequences (..); since only forward slashes are blocked, embedding .. components in a layer name allows escape from the intended temporary working directory during model save or load operations. No active exploitation (CISA KEV) and no public proof-of-concept has been identified at time of analysis; however, EPSS data was not provided, leaving probabilistic exploitation likelihood unquantified.
Arbitrary code execution in Keras 3.13.0 occurs because the TFSMLayer class unconditionally loads attacker-supplied TensorFlow SavedModels while deserializing a .keras model, even with safe_mode=True engaged. Any user who loads a malicious model triggers attacker-controlled code at inference time under their own privileges, defeating the protection safe_mode is supposed to provide. The flaw (CWE-502) has publicly available exploit code via huntr but is not in CISA KEV; EPSS is very low at 0.06% (19th percentile), consistent with the local, user-interaction-dependent attack path.