{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-49655", "assignerOrgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "state": "PUBLISHED", "assignerShortName": "HiddenLayer", "dateReserved": "2025-06-09T13:58:25.617Z", "datePublished": "2025-10-17T15:20:27.308Z", "dateUpdated": "2025-10-17T15:58:34.204Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Keras", "repo": "https://github.com/keras-team/keras", "vendor": "Keras", "versions": [{"lessThan": "3.11.3", "status": "affected", "version": "3.11.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a&nbsp;TorchModuleWrapper class to run arbitrary code on an end user\u2019s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.<br>"}], "value": "Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a\u00a0TorchModuleWrapper class to run arbitrary code on an end user\u2019s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "shortName": "HiddenLayer", "dateUpdated": "2025-10-17T15:20:27.308Z"}, "references": [{"url": "https://hiddenlayer.com/sai_security_advisor/2025-10-keras/"}, {"url": "https://github.com/keras-team/keras/pull/21575"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-17T15:57:54.529745Z", "id": "CVE-2025-49655", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-17T15:58:34.204Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-49655", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-17T15:57:54.529745Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-17T15:58:27.423Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/keras-team/keras", "vendor": "Keras", "product": "Keras", "versions": [{"status": "affected", "version": "3.11.0", "lessThan": "3.11.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://hiddenlayer.com/sai_security_advisor/2025-10-keras/"}, {"url": "https://github.com/keras-team/keras/pull/21575"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a\u00a0TorchModuleWrapper class to run arbitrary code on an end user\u2019s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a&nbsp;TorchModuleWrapper class to run arbitrary code on an end user\u2019s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "shortName": "HiddenLayer", "dateUpdated": "2025-10-17T15:20:27.308Z"}}}, "cveMetadata": {"cveId": "CVE-2025-49655", "state": "PUBLISHED", "dateUpdated": "2025-10-17T15:58:34.204Z", "dateReserved": "2025-06-09T13:58:25.617Z", "assignerOrgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "datePublished": "2025-10-17T15:20:27.308Z", "assignerShortName": "HiddenLayer"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a\u00a0TorchModuleWrapper class to run arbitrary code on an end user\u2019s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files."}], "id": "CVE-2025-49655", "lastModified": "2025-10-17T16:15:37.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "type": "Secondary"}]}, "published": "2025-10-17T16:15:37.420", "references": [{"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "https://github.com/keras-team/keras/pull/21575"}, {"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "url": "https://hiddenlayer.com/sai_security_advisor/2025-10-keras/"}], "sourceIdentifier": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "type": "Secondary"}]}

{}

{"created": "2025-10-20T13:22:01.096632+00:00", "updated": "2025-10-20T13:22:01.096669+00:00", "vendors": ["keras", "keras$PRODUCT$keras"]}