Description
Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` validate archive member paths against the process current working directory (CWD) instead of the actual extraction destination. When the process runs with CWD set to `/`, which is common in Docker containers, CI/CD runners, and Jupyter environments, the validation boundary becomes the filesystem root, allowing traversal paths to bypass the security check. Additionally, the zip filter contains a bug that causes an `AttributeError` when a blocked entry is encountered, leading to incomplete extraction. Furthermore, Python 3.11 installations lack the `filter="data"` safety net, leaving them entirely reliant on the flawed CWD-based filter. Exploitation of this vulnerability can result in arbitrary file writes outside the intended extraction directory, enabling attackers to overwrite configuration files, inject malicious code, or corrupt machine learning datasets and pipelines.
Published: 2026-06-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Keras versions before 3.14.0, where the archive extraction utilities validate member paths against the current working directory (CWD) rather than the intended extraction location. When the process runs with CWD set to the filesystem root, which is common in container, CI/CD, or Jupyter environments, traversal patterns can bypass the security check, allowing an attacker to write arbitrary files outside the target directory. The flaw also triggers an AttributeError that can leave extraction incomplete, potentially causing a denial of service or partial corruption of datasets. The impact is that an attacker who can supply a malicious tar or zip archive can overwrite configuration files, inject code, or corrupt machine learning pipelines. The weakness is a classic path‑traversal flaw (CWE‑22).

Affected Systems

Keras Team’s Keras library, any version older than 3.14.0. The flaw does not affect any newer releases; installation of 3.14.0 or later eliminates the vulnerability.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score is not available, so no exact exploitation probability is provided, but the scenario is realistic in environments where processes extract user‑supplied archives with a default CWD of /. The vulnerability is not listed in the CISA KEV catalog, yet the potential for arbitrary file writes makes it a critical concern. Exploitation requires an attacker’s ability to supply or influence the archive contents, which is feasible in many automated build or deployment pipelines that accept external archives.

Generated by OpenCVE AI on June 11, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Keras 3.14.0 or later
  • Configure the extraction process to avoid using `/` as the working directory, ensuring the validation boundary aligns with the intended extraction path
  • Validate all archive members against a canonical path before extraction to detect traversal attempts
  • Restrict the permissions of the user performing extraction and monitor the system for unexpected file modifications

Generated by OpenCVE AI on June 11, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

threat_severity

Important


Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Keras-team
Keras-team keras
Vendors & Products Keras-team
Keras-team keras

Thu, 11 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` validate archive member paths against the process current working directory (CWD) instead of the actual extraction destination. When the process runs with CWD set to `/`, which is common in Docker containers, CI/CD runners, and Jupyter environments, the validation boundary becomes the filesystem root, allowing traversal paths to bypass the security check. Additionally, the zip filter contains a bug that causes an `AttributeError` when a blocked entry is encountered, leading to incomplete extraction. Furthermore, Python 3.11 installations lack the `filter="data"` safety net, leaving them entirely reliant on the flawed CWD-based filter. Exploitation of this vulnerability can result in arbitrary file writes outside the intended extraction directory, enabling attackers to overwrite configuration files, inject malicious code, or corrupt machine learning datasets and pipelines.
Title Path Traversal in keras-team/keras
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 8.1, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}


Subscriptions

Keras-team Keras
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-06-30T12:06:54.441Z

Reserved: 2026-06-09T16:16:56.354Z

Link: CVE-2026-11816

cve-icon Vulnrichment

Updated: 2026-06-30T02:45:54.328Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T14:16:26.557

Modified: 2026-06-11T17:16:31.270

Link: CVE-2026-11816

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-11T13:31:52Z

Links: CVE-2026-11816 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:18:06Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')