Arbitrary File Loading and SSRF in Keras by Google
CVE-2025-12058

5.9MEDIUM

Key Information:

Vendor: Keras
Status: Keras
Vendor: CVE Published:; 29 October 2025

What is CVE-2025-12058?

The Keras.Model.load_model method has a design flaw allowing arbitrary local file loading and Server-Side Request Forgery (SSRF). Specifically, the StringLookup layer's configuration permits the inclusion of local or remote file paths. An attacker can create a malicious .keras file that points to sensitive local files, compromising the system by allowing unauthorized access to these files. Additionally, Keras, through tf.io.gfile, enables the loading of external resources via network endpoints, which can be exploited to access unauthorized data, making it susceptible to SSRF attacks. The intended protection provided by the safe_mode=True flag has proven ineffective, as it does not adequately prevent this unauthorized data access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Keras 0 < 3.12.0

References

https://github.com/keras-team/keras/security/advisories/G...

https://github.com/keras-team/keras/pull/21751

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Oct 29, 2025
Vulnerability Reserved
Oct 22, 2025

Credit

Jayashwa Singh Chauhan

JSON

Keras