CVE-2025-49655: Keras framework vulnerable to deserialization of untrusted data

October 17, 2025

Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.

References

github.com/advisories/GHSA-cvhh-q5g5-qprp
github.com/keras-team/keras
github.com/keras-team/keras/pull/21575
hiddenlayer.com/sai_security_advisor/2025-10-keras
nvd.nist.gov/vuln/detail/CVE-2025-49655

Code Behaviors & Features

Detect and mitigate CVE-2025-49655 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →