Platform
python
Component
keras-team/keras
A path traversal vulnerability has been identified in Keras, a high-level neural networks API written in Python. This flaw, present in versions up to the latest release, resides within the keras.utils.get_file() function during tar archive extraction. Due to a missing security parameter and a symlink resolution bug, attackers can potentially write files outside the intended directory, leading to unauthorized access and potential system compromise.
The vulnerability allows an attacker to leverage symlink resolution to bypass intended file access restrictions. Specifically, the tarfile.extractall() function is called without the filter='data' parameter, which is crucial for preventing malicious files from being extracted. While Keras attempts to filter unsafe paths, this filtering occurs before extraction, and the PATH_MAX symlink resolution bug circumvents this protection. This enables an attacker to write arbitrary files to locations outside the designated extraction directory, potentially overwriting critical system files or injecting malicious code. The blast radius extends to any system where Keras is deployed and processing untrusted tar archives.
This vulnerability was publicly disclosed on 2025-11-28. There are currently no known public proof-of-concept exploits available, but the vulnerability's nature makes it likely that one will emerge. The vulnerability is not currently listed on CISA KEV. The CVSS score of 8.0 (HIGH) indicates a significant risk, and proactive mitigation is recommended.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of Keras that addresses this vulnerability. The vendor has not yet released a specific fixed version, so monitor Keras's official channels for updates. As a temporary workaround, avoid processing untrusted tar archives with Keras. If processing is unavoidable, implement strict file system access controls to limit the potential impact of a successful exploit. Consider using a sandboxed environment to isolate Keras processes from sensitive system resources. After upgrading, verify the fix by attempting to extract a malicious tar archive containing a symlink designed to write outside the intended directory; the extraction should fail with an appropriate error.
Actualice Keras a una versión que incorpore la corrección para esta vulnerabilidad. Asegúrese de que la función `keras.utils.get_file()` utilice el parámetro `filter='data'` al extraer archivos tar. Como medida preventiva, evite procesar archivos tar de fuentes no confiables.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12638 is a Path Traversal vulnerability affecting Keras versions up to the latest, allowing attackers to potentially write files outside the intended directory via symlink resolution bypass.
If you are using Keras version ≤latest, you are potentially affected. Monitor Keras's official channels for updates and apply the recommended mitigation.
Upgrade to a patched version of Keras as soon as it becomes available. Until then, avoid processing untrusted tar archives and implement strict file system access controls.
There are currently no known active exploits, but the vulnerability's nature suggests it may be targeted in the future. Proactive mitigation is recommended.
Refer to the Keras project's official website and GitHub repository for the latest security advisories and updates related to CVE-2025-12638.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.