PT-2026-55585 · Keras Team · Keras
Published
2026-07-03
·
Updated
2026-07-03
·
CVE-2026-12481
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
keras-team/keras version 3.14.0
Description
Improper handling of deserialization in the
Lambda layer allows for arbitrary OS-level code execution in the context of the server or user process. The raise for lambda deserialization() function fails to enforce the safe-mode guard when safe mode is set to None, which is the default value when from config() is called outside of a SafeModeScope context. This logic error treats None as False, bypassing the guard and allowing attacker-controlled marshal bytecode to be deserialized. Affected call sites include the keras.layers.deserialize(config) and keras.models.clone model(model) endpoints, as well as any direct invocation of the Lambda.from config(config) function without an enclosing SafeModeScope(True).Recommendations
For version 3.14.0, ensure that
Lambda.from config(config) is called within an enclosing SafeModeScope(True) to enforce the safe-mode guard.
As a temporary mitigation, restrict the use of the keras.layers.deserialize(config) and keras.models.clone model(model) endpoints when processing untrusted configurations.Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Keras