CVE-2025-49655

CRITICAL9.8EPSS 0.05%

Keras framework vulnerable to deserialization of untrusted data

Published: 10/17/2025Modified: 4/28/2026

Description

Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.

Affected packages (2)

Debian/kerasfrom 0
PyPI/keras>= 3.11.0, < 3.11.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-49655
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-49655
PATCHhttps://github.com/keras-team/keras
WEBhttps://github.com/keras-team/keras/pull/21575
WEBhttps://hiddenlayer.com/sai_security_advisor/2025-10-keras