Description
A path traversal vulnerability exists in keras-team/keras version 3.14.0, specifically in the `DiskIOStore.make` method within the Keras 3 model saving and loading library. This vulnerability arises from the improper handling of user-provided layer names, which are used to construct directory paths without sanitizing for parent directory components (`..`). While forward slashes (`/`) are restricted in layer names, directory traversal sequences are not. This allows an attacker to craft a malicious Keras model that, when saved or loaded, can escape the intended temporary working directory and perform unauthorized file system operations, such as creating directories or writing files in arbitrary locations.
Published: 2026-06-22
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the DiskIOStore.make method of Keras 3.14.0 and allows a malicious model to use unvalidated layer names that contain directory traversal sequences such as "..". These names are concatenated into directory paths without sanitization, letting an attacker create or overwrite files outside the intended temporary working directory. The result is the ability to write arbitrary files, potentially leaking data or installing malicious payloads.

Affected Systems

Keras 3.14.0 from the keras-team. The issue affects any installation that processes model files—such as when saving a model through model.save() or loading a model via keras.models.load_model()—since the vulnerable code is invoked during those operations.

Risk and Exploitability

The CVSS score of 6.1 indicates a high severity with significant impact on confidentiality, integrity, and availability. Though the EPSS score is not available, the absence of a KEV listing suggests no current widespread exploitation, but the risk remains if an attacker can supply a crafted model. The likely attack vector is file-level injection through a malicious model file, which can be introduced to a machine either through user uploads, data feeds, or code that downloads models from external sources. If exploited, the attacker could elevate file system privileges relative to the application’s running user.

Generated by OpenCVE AI on June 22, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Keras to a patched release that validates or sanitizes layer names before constructing paths.
  • Implement an additional layer‑name validation layer in your code that rejects or cleans names containing ".." or other path traversal constructs.
  • Configure the temporary directory used for model I/O with restrictive filesystem permissions to limit the scope of any unintended writes.

Generated by OpenCVE AI on June 22, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in keras-team/keras version 3.14.0, specifically in the `DiskIOStore.make` method within the Keras 3 model saving and loading library. This vulnerability arises from the improper handling of user-provided layer names, which are used to construct directory paths without sanitizing for parent directory components (`..`). While forward slashes (`/`) are restricted in layer names, directory traversal sequences are not. This allows an attacker to craft a malicious Keras model that, when saved or loaded, can escape the intended temporary working directory and perform unauthorized file system operations, such as creating directories or writing files in arbitrary locations.
Title Path Traversal in keras-team/keras
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 6.1, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-06-22T15:21:19.645Z

Reserved: 2026-06-17T00:28:44.653Z

Link: CVE-2026-12479

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:30:08Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')