Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| keras(PyPI) | 3.11.0 | 3.11.3 | N/A |
CVSS Metrics
