Pi-CryptoConnect icon indicating copy to clipboard operation
Pi-CryptoConnect copied to clipboard

Published 20 hours ago verified publisher icon KOSASIH

keras-2.15.0-py3-none-any.whl: 4 vulnerabilities (highest severity is: 9.0)

Open mend-bolt-for-github[bot] opened this issue 9 months ago • 0 comments

Vulnerable Library - keras-2.15.0-py3-none-any.whl

Multi-backend Keras.

Library home page: https://files.pythonhosted.org/packages/fc/a7/0d4490de967a67f68a538cc9cdb259bff971c4b5787f7765dc7c8f118f71/keras-2.15.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 4b141b8723afcbaab02c043a5df3a1cebe474b0b

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (keras version) Remediation Possible**
CVE-2025-12060 Critical 9.0 keras-2.15.0-py3-none-any.whl Direct keras - 3.12.0,keras - 3.12.0,https://github.com/keras-team/keras.git - v3.12.0
CVE-2025-9906 High 8.2 keras-2.15.0-py3-none-any.whl Direct https://github.com/keras-team/keras.git - v3.11.0
CVE-2025-12058 Medium 6.8 keras-2.15.0-py3-none-any.whl Direct 3.12.0
CVE-2024-55459 Medium 6.5 keras-2.15.0-py3-none-any.whl Direct N/A

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-12060

Vulnerable Library - keras-2.15.0-py3-none-any.whl

Multi-backend Keras.

Library home page: https://files.pythonhosted.org/packages/fc/a7/0d4490de967a67f68a538cc9cdb259bff971c4b5787f7765dc7c8f118f71/keras-2.15.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • :x: keras-2.15.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4b141b8723afcbaab02c043a5df3a1cebe474b0b

Found in base branch: main

Vulnerability Details

The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder. This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12).

Publish Date: 2025-10-30

URL: CVE-2025-12060

CVSS 3 Score Details (9.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-10-30

Fix Resolution: keras - 3.12.0,keras - 3.12.0,https://github.com/keras-team/keras.git - v3.12.0

Step up your Open Source Security Game with Mend here

CVE-2025-9906

Vulnerable Library - keras-2.15.0-py3-none-any.whl

Multi-backend Keras.

Library home page: https://files.pythonhosted.org/packages/fc/a7/0d4490de967a67f68a538cc9cdb259bff971c4b5787f7765dc7c8f118f71/keras-2.15.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • :x: keras-2.15.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4b141b8723afcbaab02c043a5df3a1cebe474b0b

Found in base branch: main

Vulnerability Details

The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json (a file within the .keras archive) that will invoke keras.config.enable_unsafe_deserialization() to disable safe mode. Once safe mode is disable, one can use the Lambda layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization() needs to appear first in the archive and the Lambda with arbitrary code needs to be second.

Publish Date: 2025-09-19

URL: CVE-2025-9906

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-09-19

Fix Resolution: https://github.com/keras-team/keras.git - v3.11.0

Step up your Open Source Security Game with Mend here

CVE-2025-12058

Vulnerable Library - keras-2.15.0-py3-none-any.whl

Multi-backend Keras.

Library home page: https://files.pythonhosted.org/packages/fc/a7/0d4490de967a67f68a538cc9cdb259bff971c4b5787f7765dc7c8f118f71/keras-2.15.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • :x: keras-2.15.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4b141b8723afcbaab02c043a5df3a1cebe474b0b

Found in base branch: main

Vulnerability Details

The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF). This vulnerability stems from the way the StringLookup layer is handled during model loading from a specially crafted .keras archive. The constructor for the StringLookup layer accepts a vocabulary argument that can specify a local file path or a remote file path.

  • Arbitrary Local File Read: An attacker can create a malicious .keras file that embeds a local path in the StringLookup layer's configuration. When the model is loaded, Keras will attempt to read the content of the specified local file and incorporate it into the model state (e.g., retrievable via get_vocabulary()), allowing an attacker to read arbitrary local files on the hosting system.
  • Server-Side Request Forgery (SSRF): Keras utilizes tf.io.gfile for file operations. Since tf.io.gfile supports remote filesystem handlers (such as GCS and HDFS) and HTTP/HTTPS protocols, the same mechanism can be leveraged to fetch content from arbitrary network endpoints on the server's behalf, resulting in an SSRF condition. The security issue is that the feature allowing external path loading was not properly restricted by the safe_mode=True flag, which was intended to prevent such unintended data access.

Publish Date: 2025-10-29

URL: CVE-2025-12058

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Adjacent
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-10-29

Fix Resolution: 3.12.0

Step up your Open Source Security Game with Mend here

CVE-2024-55459

Vulnerable Library - keras-2.15.0-py3-none-any.whl

Multi-backend Keras.

Library home page: https://files.pythonhosted.org/packages/fc/a7/0d4490de967a67f68a538cc9cdb259bff971c4b5787f7765dc7c8f118f71/keras-2.15.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • :x: keras-2.15.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4b141b8723afcbaab02c043a5df3a1cebe474b0b

Found in base branch: main

Vulnerability Details

An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.

Publish Date: 2025-01-08

URL: CVE-2024-55459

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Feb 10 '25 06:02 mend-bolt-for-github[bot]