Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petabyte Allocation in KerasFileEditor)

Summary Keras’s model loader KerasFileEditor unsafely loads user-supplied .keras model files containing HDF5-based weight files without performing any validation on HDF5 dataset metadata. An attacker can craft a .keras archive containing a valid model.weights.h5 file whose dataset declares an...

Arbitrary File Write via Path Traversal in Orbax Checkpoint Asset Dict Keys

Description When loading a Keras model from an Orbax checkpoint directory, the writenesteddicttodir function uses dict keys from the checkpoint's asset data directly in os.path.join without any path sanitization. A crafted Orbax checkpoint can include absolute paths or path traversal sequences .....

CVE-2026-1669

Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references...

DEBIAN-CVE-2026-1669

Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references...

AZL-77414 CVE-2026-1669 affecting package keras 3.3.3-6

Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references...

CVE-2026-1669

CVE-2026-1669 describes an arbitrary file read in the Keras model loading path via HDF5 external dataset references. Affected versions are Keras 3.0.0 through 3.13.1 on all supported platforms. The vulnerability arises in the HDF5 integration used during model loading, enabling a remote attacker ...

Linux Distros Unpatched Vulnerability : CVE-2026-0897

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote...

Security Bulletin: A vulnerability in Watson NLP affects IBM Robotic Process Automation which may result in arbitrary code execution (CVE-2025-1550).

Summary A vulnerability in Watson NLP affects IBM Robotic Process Automation which may result in arbitrary code execution. Watson NLP is used by IBM Robotic Process Automation for Natural Language Processing. This bulletin identifies the fixes required to address the vulnerablity. Vulnerability...

CVE-2026-0897

Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service DoS through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive...

Security Bulletin: Arbitrary Code Execution in Keras

Summary Keras is used by many machine learning frameworks and applications as part of their deep learning infrastructure. Remote attackers can execute arbitrary code, leading to full system compromise, data breaches, and potential lateral movement where the identified vulnerability is present...

Security Bulletin: Multiple Vulnerabilities affect IBM Watson Studio in Cloud Pak for Data.

Summary Multiple vulnerabilities have been addressed in IBM Watson Studio in Cloud Pak for Data version 5.2.2 Vulnerability Details CVEID:CVE-2024-3568 DESCRIPTION: The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the...

EUVD-2025-36634

Keras is vulnerable to arbitrary local file loading and Server-Side Request Forgery...

CVE-2025-12058

The Keras.Model.loadmodel method, including when executed with the intended security mitigation safemode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery SSRF. This vulnerability stems from the way the StringLookup layer is handled during model loading from a...

AZL-69021 CVE-2025-12058 affecting package keras 3.3.3-6

The Keras.Model.loadmodel method, including when executed with the intended security mitigation safemode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery SSRF. This vulnerability stems from the way the StringLookup layer is handled during model loading from a...

CVE-2025-12058

The Keras.Model.loadmodel method, including when executed with the intended security mitigation safemode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery SSRF. This vulnerability stems from the way the StringLookup layer is handled during model loading from a...

Linux Distros Unpatched Vulnerability : CVE-2025-12058

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Keras.Model.loadmodel method, including when executed with the intended security mitigation safemode=True, is vulnerable to arbitrary local file loading and...

EUVD-2025-7406

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-9906

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Keras Model.loadmodel method can be exploited to achieve arbitrary code execution, even with safemode=True. One can create a specially crafted .keras model...

GHSA-36RR-WW3J-VRJV The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.

Note: This report has already been discussed with the Google OSS VRP team, who recommended that I reach out directly to the Keras team. I’ve chosen to do so privately rather than opening a public issue, due to the potential security implications. I also attempted to use the email address listed i...

CVE-2025-9905

The Keras Model.loadmodel method can be exploited to achieve arbitrary code execution, even with safemode=True. One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.loadmodel, will trigger arbitrary code to be executed. This is achieved by crafting a special...