CVE-2025-12638
📋 TL;DR
This CVE describes a path traversal vulnerability in Keras 3.11.3's keras.utils.get_file() function when extracting tar archives. The vulnerability allows attackers to write files outside the intended extraction directory due to a symlink resolution bug during extraction. This affects any Keras installation that processes tar archives using the vulnerable get_file() function.
💻 Affected Systems
- Keras
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary file write leading to system compromise, privilege escalation, or remote code execution if combined with other vulnerabilities.
Likely Case
Arbitrary file write to sensitive locations, potentially enabling data corruption, denial of service, or persistence mechanisms.
If Mitigated
Limited to cache directory writes if proper sandboxing or containerization is implemented.
🎯 Exploit Status
Exploitation requires the ability to supply a malicious tar archive to the vulnerable function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.11.4 or later
Vendor Advisory: https://github.com/keras-team/keras/security/advisories
Restart Required: No
Instructions:
1. Update Keras using pip: pip install --upgrade keras
2. Verify the version is 3.11.4 or higher
3. No restart required as this is a Python library update
🔧 Temporary Workarounds
Disable tar extraction in get_file()
allAvoid using keras.utils.get_file() with tar archives from untrusted sources.
# Modify code to use alternative extraction methods or validate archives
Use secure extraction wrapper
allImplement a custom extraction function with proper security controls.
import tarfile
import os
def safe_extract(tar_path, extract_path):
with tarfile.open(tar_path) as tar:
for member in tar.getmembers():
member_path = os.path.join(extract_path, member.name)
if not os.path.realpath(member_path).startswith(os.path.realpath(extract_path)):
raise ValueError('Path traversal attempt detected')
tar.extractall(extract_path, filter='data')
🧯 If You Can't Patch
- Avoid processing tar archives from untrusted sources with keras.utils.get_file()
- Implement strict input validation and sandbox extraction to isolated directories
🔍 How to Verify
Check if Vulnerable:
Check if using Keras 3.11.3 and calling keras.utils.get_file() with tar archives.Check Version:
python -c "import keras; print(keras.__version__)"Verify Fix Applied:
Verify Keras version is 3.11.4 or higher and test tar extraction with malicious paths.📡 Detection & Monitoring
Log Indicators:
- Failed extraction attempts with path traversal errors
- Unexpected file writes outside cache directories
Network Indicators:
- Downloads of tar archives to Keras applications
SIEM Query:
Process execution logs showing keras.utils.get_file() calls with tar file arguments