GHSA-pwq7-2gvj-vg9v

Опубликовано: 11 авг. 2025

Источник: github

Github: Прошло ревью

CVSS4: 8.6

Описание

Duplicate Advisory: Keras safe mode bypass vulnerability

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-c9rc-mg46-23w3. This link is maintained to preserve external references.

Original Description

A safe mode bypass vulnerability in the Model.load_model method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted .keras model archive.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2025-8747
https://github.com/keras-team/keras/pull/21429
https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858
https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability

Пакеты

Наименование

keras

pip

Затронутые версииВерсия исправления

>= 3.0.0, < 3.11.0

3.11.0

8.6 High

CVSS4

Дефекты

CWE-502

8.6 High

CVSS4

Дефекты

CWE-502