GHSA-4f3f-g24h-fr8m

Source

https://github.com/advisories/GHSA-4f3f-g24h-fr8m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4f3f-g24h-fr8m/GHSA-4f3f-g24h-fr8m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4f3f-g24h-fr8m

Aliases

CVE-2026-1462

Downstream

MINI-j2mx-xh6r-256r

Published

2026-04-13T15:31:42Z

Modified

2026-04-14T23:34:52.084932Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Keras has an untrusted deserialization vulnerability

Details

A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safe_mode=True. This bypasses the security guarantees of safe_mode and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the from_config() method.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-04-13T15:17:18Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "github_reviewed_at": "2026-04-14T23:17:11Z",
    "severity": "HIGH"
}

References

Affected packages

PyPI / keras

Package

Name: keras; View open source insights on deps.dev
Purl: pkg:pypi/keras

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.13.2

Affected versions

0.*

0.2.0

0.3.0

0.3.1

0.3.2

0.3.3

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.1.0

1.1.1

1.1.2

1.2.0

1.2.1

1.2.2

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.0

2.3.1

2.4.0

2.4.1

2.4.2

2.4.3

2.5.0rc0

2.6.0rc0

2.6.0rc1

2.6.0rc2

2.6.0rc3

2.6.0

2.7.0rc0

2.7.0rc2

2.7.0

2.8.0rc0

2.8.0rc1

2.8.0

2.9.0rc0

2.9.0rc1

2.9.0rc2

2.9.0

2.10.0rc0

2.10.0rc1

2.10.0

2.11.0rc0

2.11.0rc1

2.11.0rc2

2.11.0rc3

2.11.0

2.12.0rc0

2.12.0rc1

2.12.0

2.13.1rc0

2.13.1rc1

2.13.1

2.14.0rc0

2.14.0

2.15.0rc0

2.15.0rc1

2.15.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.1.0

3.1.1

3.2.0

3.2.1

3.3.0

3.3.1

3.3.2

3.3.3

3.4.0

3.4.1

3.5.0

3.6.0

3.7.0

3.8.0

3.9.0

3.9.1

3.9.2

3.10.0

3.11.0

3.11.1

3.11.2

3.11.3

3.12.0

3.12.1

3.13.0

3.13.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4f3f-g24h-fr8m/GHSA-4f3f-g24h-fr8m.json"