9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-49655

GHSA ID

GHSA-cvhh-q5g5-qprp

EPSS Score

CWE

CWE-502

Published

10/17/2025

Updated

10/17/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-49655

CVE-2025-49655: Keras framework vulnerable to deserialization of untrusted data

Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-49655

CVE-2025-49655:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-49655

GHSA ID

GHSA-cvhh-q5g5-qprp

EPSS Score

CWE

CWE-502

Published

10/17/2025

Updated

10/17/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
keras	pip	>= 3.11.0, < 3.11.3	3.11.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the Keras library's handling of model deserialization, specifically within the TorchModuleWrapper class. The core of the issue is an insecure deserialization vulnerability (CWE-502). When a Keras model containing a TorchModuleWrapper layer is loaded, the from_config method is invoked to reconstruct the layer from its configuration.

The analysis of the patch ae2652208435eae8ca30bd45ccb2430d7a25c29d reveals that the from_config method in keras/src/utils/torch_utils.py was modified. Before the patch, this method would decode and load a torch.nn.Module from the model's configuration without any safety checks, even when Keras was operating in safe_mode. The torch.load function is known to be unsafe when used on untrusted data, as it can execute arbitrary code.

An attacker could exploit this by creating a malicious Keras model file. This file would contain a TorchModuleWrapper with a specially crafted payload in the module field of its configuration. When a victim loads this malicious model, the TorchModuleWrapper.from_config function would be called, leading to the deserialization of the payload and subsequent arbitrary code execution on the victim's machine.

The patch addresses this vulnerability by adding a crucial security check. It now verifies if the in_safe_mode() flag is active. If it is, the function raises a ValueError, preventing the deserialization of the torch.nn.Module and informing the user about the potential security risk. This ensures that by default, Keras does not perform this dangerous operation, and the user must explicitly disable safe_mode to proceed, acknowledging the risk.

Vulnerable functions

TorchModuleWrapper.from_config

keras/src/utils/torch_utils.py

The `from_config` class method within the `TorchModuleWrapper` class is responsible for deserializing a Keras model's configuration. The vulnerability lies in the fact that this method would deserialize a `torch.nn.Module` object using `torch.load` (implicitly via `io.BytesIO` and the subsequent loading mechanism) from the provided configuration, even when the `safe_mode` was enabled. An attacker could craft a malicious Keras file where the 'module' part of the configuration contains a pickled Python object that executes arbitrary code upon deserialization. The patch introduces a check for `in_safe_mode()` and raises a `ValueError` to prevent this deserialization from occurring, thus mitigating the remote code execution risk.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-49655: Keras framework vulnerable to deserialization of untrusted data

CVE-2025-49655:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

9.8

9.8

Technical Details

CVE-2025-49655: Keras framework vulnerable to deserialization of untrusted data

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI