Google Keras vulnerabilities

CVE-2026-1669 [HIGH] CWE-73 CVE-2026-1669: Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 throug Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references.

CVE-2026-0897 [HIGH] CWE-770 CVE-2026-0897: Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset decl

CVE-2025-8747 [HIGH] CWE-502 CVE-2025-8747: A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3. A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive.

CVE-2025-1550 [HIGH] CWE-94 CVE-2025-1550: The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, thro The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading.