CVE-2025-49655
published 2025-10-17CVE-2025-49655: Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.71%
48.9th percentile
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | keras | — | — |
| keras | keras | >= 3.11.0 < 3.11.3 | 3.11.3 |
| keras | keras | >= 3.11.0 < 3.11.3 | 3.11.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on Keras framework versions 3.11.0 up to (not including) 3.11.3 loading external model files — these versions are vulnerable to arbitrary code execution via malicious Keras files ↗
- ·Red Hat products in their default configuration do not allow remote upload of model files, reducing exposure in those environments ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Keras framework vulnerable to deserialization of untrusted data
ghsa·2025-10-17
CVE-2025-49655 [CRITICAL] CWE-502 Keras framework vulnerable to deserialization of untrusted data
Keras framework vulnerable to deserialization of untrusted data
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
OSV
Keras framework vulnerable to deserialization of untrusted data
osv·2025-10-17
CVE-2025-49655 [CRITICAL] Keras framework vulnerable to deserialization of untrusted data
Keras framework vulnerable to deserialization of untrusted data
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
OSV
CVE-2025-49655: Deserialization of untrusted data can occur in versions of the Keras framework running versions 3
osv·2025-10-17·CVSS 9.8
CVE-2025-49655 [CRITICAL] CVE-2025-49655: Deserialization of untrusted data can occur in versions of the Keras framework running versions 3
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
Red Hat
keras: Keras deserialization of untrusted data
vendor_redhat·2025-10-17·CVSS 9.8
CVE-2025-49655 [CRITICAL] CWE-502 keras: Keras deserialization of untrusted data
keras: Keras deserialization of untrusted data
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
A unsafe deserialization flaw has been discovered in the Keras framework. An arbitrary code execution vulnerability exists in the TorchModuleWrapper class due to its usage of torch.load() within the from_config method. The method deserializes model data with the weights_only parameter set to False, which causes Torch to fall back on Python’s pickle module for deserializ
Debian
CVE-2025-49655: keras - Deserialization of untrusted data can occur in versions of the Keras framework r...
vendor_debian·2025·CVSS 9.8
CVE-2025-49655 [CRITICAL] CVE-2025-49655: keras - Deserialization of untrusted data can occur in versions of the Keras framework r...
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-17
Published