keras
PyPI10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting keraspage 1 of 1
- CVE-2024-3660CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.13.1rc02024-04-16
vulnerable: 0.2.0 ... 2.9.0rc2 (76 versions)
A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the applicatio…
- CVE-2025-12058MEDIUMCVSS 5.9EG 0.0✓ Fixed in 3.12.02025-10-29
vulnerable: 0.2.0 ... 3.9.2 (112 versions)
The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF). This vulnerability stems from the way …
- CVE-2025-12060HIGHCVSS 8.9EG 0.0✓ Fixed in 3.12.02025-10-30
vulnerable: 0.2.0 ... 3.9.2 (112 versions)
The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote att…
- CVE-2025-49655CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.11.32025-10-17
vulnerable: 3.11.0, 3.11.1, 3.11.2
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code …
- CVE-2025-8747HIGHCVSS 7.8EG 7.8✓ Fixed in 3.11.02025-08-11
vulnerable: 3.0.0 ... 3.9.2 (24 versions)
A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive.
- CVE-2025-9905HIGHCVSS 7.3EG 7.3✓ Fixed in 3.11.32025-09-19
vulnerable: 3.0.0 ... 3.9.2 (27 versions)
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary …
- CVE-2025-9906HIGHCVSS 7.3EG 7.3✓ Fixed in 3.11.02025-09-19
vulnerable: 0.2.0 ... 3.9.2 (108 versions)
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary cod…
- CVE-2026-0897HIGHCVSS 7.5EG 7.5✓ Fixed in 3.12.12026-01-15
vulnerable: 3.0.0 ... 3.9.2 (29 versions)
Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and…
- CVE-2026-1462HIGHCVSS 8.8EG 8.8✓ Fixed in 3.13.22026-04-13
vulnerable: 0.2.0 ... 3.9.2 (116 versions)
A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the securi…
- CVE-2026-1669HIGHCVSS 7.5EG 7.5✓ Fixed in 3.13.22026-02-11
vulnerable: 3.13.0, 3.13.1
Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras mo…
Check whether keras is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for keras CVEs against the assets you own.
Start Free Scan →