Impact
The vulnerability resides in Keras versions before 3.14.0, where the archive extraction utilities validate member paths against the current working directory (CWD) rather than the intended extraction location. When the process runs with CWD set to the filesystem root, which is common in container, CI/CD, or Jupyter environments, traversal patterns can bypass the security check, allowing an attacker to write arbitrary files outside the target directory. The flaw also triggers an AttributeError that can leave extraction incomplete, potentially causing a denial of service or partial corruption of datasets. The impact is that an attacker who can supply a malicious tar or zip archive can overwrite configuration files, inject code, or corrupt machine learning pipelines. The weakness is a classic path‑traversal flaw (CWE‑22).
Affected Systems
Keras Team’s Keras library, any version older than 3.14.0. The flaw does not affect any newer releases; installation of 3.14.0 or later eliminates the vulnerability.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity. The EPSS score is not available, so no exact exploitation probability is provided, but the scenario is realistic in environments where processes extract user‑supplied archives with a default CWD of /. The vulnerability is not listed in the CISA KEV catalog, yet the potential for arbitrary file writes makes it a critical concern. Exploitation requires an attacker’s ability to supply or influence the archive contents, which is feasible in many automated build or deployment pipelines that accept external archives.
OpenCVE Enrichment