N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-12058

GHSA ID

GHSA-mq84-hjqx-cwf2

EPSS Score

0.06741%

CWE

CWE-502

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-12058

CVE-2025-12058: Keras is vulnerable to arbitrary local file loading and Server-Side Request Forgery

The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF).

This vulnerability stems from the way the StringLookup layer is handled during model loading from a specially crafted .keras archive. The constructor for the StringLookup layer accepts a vocabulary argument that can specify a local file path or a remote file path.

Arbitrary Local File Read: An attacker can create a malicious .keras file that embeds a local path in the StringLookup layer's configuration. When the model is loaded, Keras will attempt to read the content of the specified local file and incorporate it into the model state (e.g., retrievable via get_vocabulary()), allowing an attacker to read arbitrary local files on the hosting system.
Server-Side Request Forgery (SSRF): Keras utilizes tf.io.gfile for file operations. Since tf.io.gfile supports remote filesystem handlers (such as GCS and HDFS) and HTTP/HTTPS protocols, the same mechanism can be leveraged to fetch content from arbitrary network endpoints on the server's behalf, resulting in an SSRF condition.

The security issue is that the feature allowing external path loading was not properly restricted by the safe_mode=True flag, which was intended to prevent such unintended data access.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-12058

GHSA ID

GHSA-mq84-hjqx-cwf2

EPSS Score

0.06741%

CWE

CWE-502

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
keras	pip	< 3.12.0	3.12.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the IndexLookup layer, which is the parent class for StringLookup and IntegerLookup layers in Keras. The root cause is the improper handling of the vocabulary parameter when loading a model using keras.Model.load_model with safe_mode=True.

An attacker can create a malicious .keras model file where a StringLookup layer's configuration contains a vocabulary key pointing to a local file path (e.g., /etc/passwd) or a URL. When a victim loads this model, the deserialization process reconstructs the layers. This triggers the IndexLookup.__init__ constructor, which receives the malicious path. The constructor then calls the IndexLookup.set_vocabulary method to load the vocabulary.

Prior to the patch, the set_vocabulary method did not enforce the safe_mode restriction. It would check if the vocabulary argument is a string (a path) and, if so, would use tf.io.gfile to read from that path. Since tf.io.gfile supports local file (file://) and remote (http://, https://, gs://) protocols, this behavior could be exploited for either arbitrary local file reads or Server-Side Request Forgery (SSRF).

The patch addresses this by adding a check if serialization_lib.in_safe_mode(): inside set_vocabulary. If safe_mode is enabled, the function now raises a ValueError if it's asked to load a vocabulary from an external file path, effectively closing the vulnerability.

Vulnerable functions

IndexLookup.set_vocabulary

keras/src/layers/preprocessing/index_lookup.py

This function is responsible for loading vocabulary from a file. Before the patch, it did not check if the model was being loaded in `safe_mode`. An attacker could craft a malicious Keras model with a `StringLookup` layer where the `vocabulary` parameter points to a local file path or a URL. During model loading, this function would be called and would read the content from the specified path, leading to an arbitrary file read or a Server-Side Request Forgery (SSRF) vulnerability.

IndexLookup.__init__

keras/src/layers/preprocessing/index_lookup.py

This constructor is the entry point for creating an `IndexLookup` (or its subclass `StringLookup`) layer. When loading a Keras model, this method is called with the configuration stored in the model file. An attacker can set the `vocabulary` parameter to a malicious path in the model file. The constructor then passes this path to the `set_vocabulary` method, which contained the file access vulnerability. Therefore, this constructor is the initial function in the vulnerable call chain during model loading.

WAF Protection Rules

WAF Rule

T** K*r*s.Mo**l.lo**_mo**l m*t*o*, in*lu*in* w**n *x**ut** wit* t** int*n*** s**urity miti**tion s***_mo**=Tru*, is vuln*r**l* to *r*itr*ry lo**l *il* lo**in* *n* S*rv*r-Si** R*qu*st *or**ry (SSR*). T*is vuln*r**ility st*ms *rom t** w*y t** Strin*L

Reasoning

T** vuln*r**ility *xists in t** `In**xLookup` l*y*r, w*i** is t** p*r*nt *l*ss *or `Strin*Lookup` *n* `Int***rLookup` l*y*rs in K*r*s. T** root **us* is t** improp*r **n*lin* o* t** `vo***ul*ry` p*r*m*t*r w**n lo**in* * mo**l usin* `k*r*s.Mo**l.lo**_

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-12058: Keras is vulnerable to arbitrary local file loading and Server-Side Request Forgery

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI