3.12.0
Keras's keras.utils.get_file() function contains a Directory Traversal vulnerability stemming from the use of tarfile.extractall() without the filter="data" parameter. This allows malicious tar archives to bypass security checks and write files outside the intended extraction directory, potentially leading to arbitrary code execution or data compromise. The vulnerability affects Keras versions up to 3.9.2 and is resolved in version 3.12.0.
An attacker could craft a malicious tar archive containing specially crafted symlinks and file paths. When Keras attempts to extract this archive using keras.utils.get_file(), the tarfile.extractall() function, lacking the filter="data" parameter, will resolve these symlinks and write files to arbitrary locations on the system. This could allow an attacker to overwrite critical system files, inject malicious code, or gain unauthorized access to sensitive data. The potential impact is significant, especially in environments where Keras is used to process untrusted data or deploy models.
This vulnerability is considered high probability due to the ease of crafting malicious tar archives and the widespread use of Keras in machine learning deployments. Public proof-of-concept exploits are likely to emerge, increasing the risk of exploitation. The vulnerability was publicly disclosed on 2025-12-02. No active exploitation campaigns have been confirmed as of this writing.
Machine learning engineers and data scientists using Keras in production environments are at risk, particularly those deploying models that process user-supplied data or untrusted archives. Shared hosting environments where multiple users share the same Keras installation are also at increased risk, as a compromised user could potentially exploit the vulnerability to affect other users.
• python / keras: Inspect Keras version using python -c "import keras; print(keras.version)". Versions ≤3.9.2 are vulnerable.
• python / keras: Monitor file system for unexpected file creations within Keras extraction directories.
• python / keras: Review application logs for errors related to file extraction or permission denied errors during extraction.
• python / keras: Check for suspicious tar archives being downloaded or processed by Keras applications.
disclosure
patch
漏洞利用状态
EPSS
0.12% (31% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade Keras to version 3.12.0 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. One approach is to restrict the extraction directory to a tightly controlled and isolated location. Additionally, carefully validate the source of any tar archives processed by Keras, ensuring they originate from trusted sources. Implement input validation to sanitize file paths and prevent the creation of symlinks that could lead to traversal attacks. After upgrade, confirm by attempting to extract a known malicious tar archive and verifying that it fails to write outside the designated extraction directory.
升级 Keras 到 3.12 或更高版本。 此更新通过在提取 tar 文件时修复路径遍历漏洞。 此外,请确保您拥有已修复 CVE-2025-4517 的 Python 版本(例如,Python 3.13.4 或更高版本)。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-12060 is a CRITICAL vulnerability in Keras allowing attackers to write files outside the intended extraction directory via malicious tar archives, potentially leading to code execution.
Yes, if you are using Keras versions 3.9.2 or earlier, you are vulnerable. Upgrade to 3.12.0 or later to resolve the issue.
Upgrade Keras to version 3.12.0 or later. As a temporary workaround, restrict the extraction directory and validate archive sources.
No active exploitation campaigns have been confirmed, but public proof-of-concept exploits are likely to emerge, increasing the risk.
Refer to the Keras project's official security advisories and release notes for detailed information and updates regarding CVE-2025-12060.
上传你的 requirements.txt 文件,立即知道是否受影响。