CVE-2025-12058

Name of the Vulnerable Software and Affected Versions Keras (affected versions not specified)

Description The Keras Model.load model method is susceptible to arbitrary local file loading and Server-Side Request Forgery (SSRF), even when safe mode=True is enabled. This issue arises from the handling of the StringLookup layer during model loading from a crafted .keras archive. The StringLookup layer's constructor accepts a vocabulary argument that can specify local or remote file paths. An attacker can embed a local path within the StringLookup layer's configuration in a malicious .keras file. Upon loading the model, Keras attempts to read the content of the specified local file, potentially exposing arbitrary local files on the system. Furthermore, Keras uses tf.io.gfile for file operations, which supports remote filesystem handlers and HTTP/HTTPS protocols, enabling an attacker to fetch content from arbitrary network endpoints, resulting in an SSRF condition. The intended security mitigation, safe mode=True, does not adequately restrict external path loading.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.