CVE-2025-49655
CRITICALKeras 3.11.0-3.11.2 - Remote Code Execution via TorchModuleWrapper Deserialization
Title source: llmDescription
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
References (2)
Core 2
Core References
Various Sources
https://hiddenlayer.com/sai_security_advisor/2025-10-keras/
Issue Tracking
https://github.com/keras-team/keras/pull/21575
Scores
CVSS v3
9.8
EPSS
0.0005
EPSS Percentile
14.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (2)
Keras/Keras
3.11.0 - 3.11.3
pypi/keras
3.11.0 - 3.11.3PyPI
Published
Oct 17, 2025
Tracked Since
Feb 18, 2026