CVE-2025-49655

EUVD-2025-34892
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
HiddenLayerCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
keraskeras
3.11.0 ≤
𝑥
< 3.11.3
CNA
Debian logo
Debian Releases
Debian Product
Codename
keras
bullseye
ignored
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
keras
bionic
needs-triage
focal
needs-triage
jammy
dne
noble
dne
plucky
dne
questing
dne
Common Weakness Enumeration
References
https://github.com/keras-team/keras/pull/21575
https://hiddenlayer.com/sai_security_advisor/2025-10-keras/