9.8
CVE-2025-49655
- EPSS 0.71%
- Veröffentlicht 17.10.2025 15:20:27
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle 6f8de1f0-f67e-45a6-b68f-98777f
- CVE-Watchlists
- Unerledigt
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerKeras
≫
Produkt
Keras
Default Statusunaffected
Version
3.11.0
Version <
3.11.3
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.71% | 0.486 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 6f8de1f0-f67e-45a6-b68f-98777fdb759c | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
https://hiddenlayer.com/sai_security_advisor/2025-10-keras/
https://github.com/keras-team/keras/pull/21575