keras 2.2.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the keras package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Directory Traversal keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Directory Traversal via the `keras.utils.get_file` API when the `extract=True` option is used for tar archives. An attacker can write arbitrary files to any location on the filesystem outside of the intended destination folder by supplying a crafted tar archive containing special symlinks. Note: This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12.0). How to fix Directory Traversal? Upgrade `keras` to version 3.12.0 or higher.	[,3.12.0)
M Deserialization of Untrusted Data keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `.keras` archives when they are initialized with a path to a vocabulary file. The model deserialization process when loading the archives abuses the `StringLookup` layer's `vocabulary` argument. An attacker can access arbitrary local files or trigger server-side requests to arbitrary network endpoints by supplying malicious file paths or URLs in the model configuration. This is possible even when `safe_mode` is set to `True`. How to fix Deserialization of Untrusted Data? Upgrade `keras` to version 3.12.0 or higher.	[,3.12.0)
H Improper Control of Dynamically-Managed Code Resources keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the `Model.load_model` method. An attacker can execute arbitrary code by providing a specially crafted `.h5` or `.hdf5` model archive that leverages the Lambda layer feature to include pickled Python code, which is executed when the archive is loaded, even if `safe_mode=True` is set. How to fix Improper Control of Dynamically-Managed Code Resources? Upgrade `keras` to version 3.11.3 or higher.	[,3.11.3)
H Deserialization of Untrusted Data keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `Model.load_model` method. An attacker can execute arbitrary code by providing a specially crafted `.keras` model archive containing a `config.json` file that invokes `keras.config.enable_unsafe_deserialization()` to disable safe mode, followed by a Lambda layer with malicious pickled code. How to fix Deserialization of Untrusted Data? Upgrade `keras` to version 3.11.0 or higher.	[,3.11.0)
H Deserialization of Untrusted Data keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the function `saving_lib.load_model`, which identifies the model source (file, directory, or Hugging Face repository) and then calls the corresponding loader. An attacker can execute arbitrary code by convincing a user to load a specially crafted `.keras` model archive. How to fix Deserialization of Untrusted Data? Upgrade `keras` to version 3.11.0 or higher.	[,3.11.0)
H Deserialization of Untrusted Data keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the `load_model()` function, which uses pickle for serialization. An attacker can execute code even if `safe_mode` is set to `True`, by supplying a malicious `.keras` file. The included `config.json` can be manipulated to point to and load `npz` model files containing executable code. How to fix Deserialization of Untrusted Data? Upgrade `keras` to version 3.9.0 or higher.	[,3.9.0)
C Code Injection keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Code Injection due to improper user input sanitization through the Lambda layer, allowing a developer to add arbitrary Python code to a model in the form of a lambda function. An attacker could use this feature to trojanize a popular model, save it, and redistribute it, tainting the supply chain of dependent AI/ML applications. In addition, exploiting this vulnerability allows arbitrary code to be executed with the same permissions as the application. Note If running pre-2.13 applications in a sandbox, ensure no assets of value are in scope of the running application to minimize the potential for data exfiltration. How to fix Code Injection? Upgrade `keras` to version 2.13.1rc0 or higher.	[,2.13.1rc0)
H Deserialization of Untrusted Data keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Loading keras models via yaml could allow arbitrary code execution via unsafe deserialization. How to fix Deserialization of Untrusted Data? Upgrade `keras` to version 2.6.0rc3 or higher.	[,2.6.0rc3)

Vulnerability

Vulnerable Version

Directory Traversal

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Directory Traversal via the keras.utils.get_file API when the extract=True option is used for tar archives. An attacker can write arbitrary files to any location on the filesystem outside of the intended destination folder by supplying a crafted tar archive containing special symlinks.

Note:

This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12.0).

How to fix Directory Traversal?

Upgrade keras to version 3.12.0 or higher.

[,3.12.0)

Deserialization of Untrusted Data

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the .keras archives when they are initialized with a path to a vocabulary file. The model deserialization process when loading the archives abuses the StringLookup layer's vocabulary argument. An attacker can access arbitrary local files or trigger server-side requests to arbitrary network endpoints by supplying malicious file paths or URLs in the model configuration. This is possible even when safe_mode is set to True.

How to fix Deserialization of Untrusted Data?

Upgrade keras to version 3.12.0 or higher.

[,3.12.0)

Improper Control of Dynamically-Managed Code Resources

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the Model.load_model method. An attacker can execute arbitrary code by providing a specially crafted .h5 or .hdf5 model archive that leverages the Lambda layer feature to include pickled Python code, which is executed when the archive is loaded, even if safe_mode=True is set.

How to fix Improper Control of Dynamically-Managed Code Resources?

Upgrade keras to version 3.11.3 or higher.

[,3.11.3)

Deserialization of Untrusted Data

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the Model.load_model method. An attacker can execute arbitrary code by providing a specially crafted .keras model archive containing a config.json file that invokes keras.config.enable_unsafe_deserialization() to disable safe mode, followed by a Lambda layer with malicious pickled code.

How to fix Deserialization of Untrusted Data?

Upgrade keras to version 3.11.0 or higher.

[,3.11.0)

Deserialization of Untrusted Data

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the function saving_lib.load_model, which identifies the model source (file, directory, or Hugging Face repository) and then calls the corresponding loader. An attacker can execute arbitrary code by convincing a user to load a specially crafted .keras model archive.

How to fix Deserialization of Untrusted Data?

Upgrade keras to version 3.11.0 or higher.

[,3.11.0)

Deserialization of Untrusted Data

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the load_model() function, which uses pickle for serialization. An attacker can execute code even if safe_mode is set to True, by supplying a malicious .keras file. The included config.json can be manipulated to point to and load npz model files containing executable code.

How to fix Deserialization of Untrusted Data?

Upgrade keras to version 3.9.0 or higher.

[,3.9.0)

Code Injection

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Code Injection due to improper user input sanitization through the Lambda layer, allowing a developer to add arbitrary Python code to a model in the form of a lambda function. An attacker could use this feature to trojanize a popular model, save it, and redistribute it, tainting the supply chain of dependent AI/ML applications. In addition, exploiting this vulnerability allows arbitrary code to be executed with the same permissions as the application.

Note

If running pre-2.13 applications in a sandbox, ensure no assets of value are in scope of the running application to minimize the potential for data exfiltration.

How to fix Code Injection?

Upgrade keras to version 2.13.1rc0 or higher.

[,2.13.1rc0)

Deserialization of Untrusted Data

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Loading keras models via yaml could allow arbitrary code execution via unsafe deserialization.

How to fix Deserialization of Untrusted Data?

Upgrade keras to version 2.6.0rc3 or higher.

[,2.6.0rc3)

keras@2.2.0 vulnerabilities

Multi-backend Keras

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically