CVE-2025-49655

EUVD-2025-34892
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
HiddenLayerCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
Debian logo
Debian Releases
Debian Product
Codename
keras
bullseye
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
keras
bionic
needs-triage
focal
needs-triage
jammy
dne
noble
dne
plucky
dne
questing
dne
Common Weakness Enumeration
References
https://github.com/keras-team/keras/pull/21575
https://hiddenlayer.com/sai_security_advisor/2025-10-keras/