PYSEC-2026-2547

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/keras/PYSEC-2026-2547.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2547
Aliases
Published
2026-07-13T15:02:47.434341Z
Modified
2026-07-13T16:32:00.924214170Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Keras has an untrusted deserialization vulnerability
Details

A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safe_mode=True. This bypasses the security guarantees of safe_mode and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the from_config() method.

References

Affected packages

PyPI / keras

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.13.2

Affected versions

0.*
0.2.0
0.3.0
0.3.1
0.3.2
0.3.3
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.2.2
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0
2.3.1
2.4.0
2.4.1
2.4.2
2.4.3
2.5.0rc0
2.6.0rc0
2.6.0rc1
2.6.0rc2
2.6.0rc3
2.6.0
2.7.0rc0
2.7.0rc2
2.7.0
2.8.0rc0
2.8.0rc1
2.8.0
2.9.0rc0
2.9.0rc1
2.9.0rc2
2.9.0
2.10.0rc0
2.10.0rc1
2.10.0
2.11.0rc0
2.11.0rc1
2.11.0rc2
2.11.0rc3
2.11.0
2.12.0rc0
2.12.0rc1
2.12.0
2.13.1rc0
2.13.1rc1
2.13.1
2.14.0rc0
2.14.0
2.15.0rc0
2.15.0rc1
2.15.0
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.1.0
3.1.1
3.2.0
3.2.1
3.3.0
3.3.1
3.3.2
3.3.3
3.4.0
3.4.1
3.5.0
3.6.0
3.7.0
3.8.0
3.9.0
3.9.1
3.9.2
3.10.0
3.11.0
3.11.1
3.11.2
3.11.3
3.12.0
3.12.1
3.12.2
3.12.3
3.13.0
3.13.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/keras/PYSEC-2026-2547.yaml"