Keras framework vulnerable to deserialization of untrusted data

GHSA-cvhh-q5g5-qprp · CVE-2025-49655

Published Oct 17, 2025 · Modified Oct 17, 2025

Description

Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-49655
WEB https://github.com/keras-team/keras/pull/21575
PACKAGE https://github.com/keras-team/keras
WEB https://hiddenlayer.com/sai_security_advisor/2025-10-keras

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes