4 matches found
Path traversal via startswith() prefix confusion in is_path_in_dir (bypass of CVE-2025-12638 fix)
Description The ispathindir function in keras/src/utils/fileutils.py line 47-48 is a security-critical path validation function introduced as part of the fix for CVE-2025-12638. It is used by both filtersafezipinfos and filtersafetarinfos to validate that archive entries stay within the intended...
CVE-2025-12638
Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.getfile function when extracting tar archives. The vulnerability arises because the function uses Python's tarfile.extractall method without the security-critical filter='data' parameter. Although Keras attempts...
adpred (=1.3.2), bacpipe (>=1.2.0 <=1.3.2.dev0) +14 more potentially affected by CVE-2025-12638 via keras (>=3.0.0 <=3.11.3)
keras PYPI version =3.0.0, =1.2.0, =0.1.0, =0.0.4, =0.4.7, =1.0.3, =0.0.28, =0.2.0, =2.4.0, =0.1.0, =0.1.1, =1.1.0, =1.10.0 and more Source cves: CVE-2025-12638 Source advisory: SNYK:PYTHON-KERAS-14152002...
CVE-2025-12638
Keras 3.11.3 is affected by a path traversal in keras.utils.get_file() via tar archive extraction. The root cause is tarfile.extractall() used without filter="data"; though filter_safe_paths() is applied, a PATH_MAX symlink resolution bug during extraction can cause symlinks to be treated as lite...