CVE-2025-49655

CRITICAL

Pypi Keras < 3.11.3 - Insecure Deserialization

Title source: rule

Description

Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.

References (2)

[Various Sources] https://hiddenlayer.com/sai_security_advisor/2025-10-keras/

[Issue Tracking] https://github.com/keras-team/keras/pull/21575

Scores

CVSS v3 9.8

EPSS 0.0010

EPSS Percentile 26.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status draft

Affected Products (1)

pypi/keras < 3.11.3PyPI

Timeline

Published Oct 17, 2025

Tracked Since Feb 18, 2026