The vulnerability is tracked as CVE-2025-12058 and it can be exploited for arbitrary file loading and conducting SSRF attacks.
November 7, 2025 By Ionut Arghire
A vulnerability in the open source library Keras could allow attackers to load arbitrary local files or conduct server-side request forgery (SSRF) attacks.
Providing a Python interface for artificial neural networks, Keras is a deep learning API that can be used as a low-level cross-framework language for the building of AI models that work with JAX, TensorFlow, and PyTorch.
Tracked as CVE-2025-12058 (CVSS score of 5.9), the medium-severity flaw exited because the library’s StringLookup and IndexLookup preprocessing layers allow for file paths or URLs to be used as inputs to define vocabularies.
When Keras reconstructed the layers by loading a serialized model, it would access the referenced file paths during deserialization, without proper validation or restriction, and incorporate the contents of the specified files into the model state.
