A vulnerability within the open supply library Keras might permit attackers to load arbitrary native information or conduct server-side request forgery (SSRF) assaults.
Offering a Python interface for synthetic neural networks, Keras is a deep studying API that can be utilized as a low-level cross-framework language for the constructing of AI fashions that work with JAX, TensorFlow, and PyTorch.
Tracked as CVE-2025-12058 (CVSS rating of 5.9), the medium-severity flaw exited as a result of the library’s StringLookup and IndexLookup preprocessing layers permit for file paths or URLs for use as inputs to outline vocabularies.
When Keras reconstructed the layers by loading a serialized mannequin, it could entry the referenced file paths throughout deserialization, with out correct validation or restriction, and incorporate the contents of the required information into the mannequin state.
“Which means that even when security measures like safe_mode are enabled, a malicious mannequin can nonetheless instruct Keras to entry native information or exterior URLs throughout load time, exposing delicate information or enabling distant community requests,” Zscaler explains.
In response to the corporate, this habits bypasses protected deserialization, permitting attackers to learn arbitrary native information, exfiltrate data via vocabularies, and conduct SSRF assaults.
In real-world situations, attackers might exploit the vulnerability by importing to public repositories malicious Keras fashions with specifically crafted vocabulary parameters, corresponding to these focusing on SSH keys.
When a sufferer downloads and hundreds the mannequin, throughout deserialization, their SSH personal keys are learn into the mannequin’s vocabulary. The attacker can retrieve the keys by redownloading the mannequin or via vocabulary exfiltration.Commercial. Scroll to proceed studying.
“Potential affect: full compromise of sufferer’s SSH entry to servers, code repositories, and cloud infrastructure. Attackers can pivot to lively intrusion: clone personal repos, inject backdoors or malicious commits into CI/CD, execute code in manufacturing, and transfer laterally,” Zscaler says.
If a malicious mannequin is deployed in cloud environments with occasion metadata providers, its loading in a VM permits attackers to retrieve IAM credentials and acquire full management over a company’s cloud assets.
The vulnerability was resolved in Keras model 3.11.4 by embedding vocabulary information immediately into the Keras archive and loading them from the archive upon initialization. It additionally disallows the loading of arbitrary vocabulary information when safe_mode is enabled.
Associated: Chrome 142 Replace Patches Excessive-Severity Flaws
Associated: Cisco Patches Essential Vulnerabilities in Contact Middle Equipment
Associated: Essential Vulnerabilities Patched in TP-Hyperlink’s Omada Gateways
Associated: Oracle Releases October 2025 Patches
