CVE-2025-12058: 
Python vulnerability analysis and mitigation

The Keras.Model.loadmodel method contains a vulnerability (CVE-2025-12058) that allows arbitrary local file loading and Server-Side Request Forgery (SSRF), even when using the intended security mitigation safemode=True. The vulnerability was discovered in October 2025 and affects the StringLookup layer handling during model loading from specially crafted .keras archives (NVD).

The vulnerability stems from the way the StringLookup layer is handled during model loading. The constructor accepts a vocabulary argument that can specify local or remote file paths. When loading a malicious .keras file with embedded local paths in the StringLookup layer's configuration, Keras attempts to read the specified local file content and incorporate it into the model state. Additionally, since Keras uses tf.io.gfile for file operations which supports remote filesystem handlers (GCS, HDFS) and HTTP/HTTPS protocols, this can be exploited for SSRF attacks. The vulnerability has been assigned a CVSS v4.0 score of 5.9 (Medium) with vector CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L (NVD).

The vulnerability has two main impact vectors: 1) Arbitrary Local File Read - attackers can read arbitrary local files on the hosting system through the model state, and 2) Server-Side Request Forgery (SSRF) - attackers can make the server fetch content from arbitrary network endpoints, potentially bypassing network security controls (NVD).

A fix has been implemented that modifies StringLookup and IntegerLookup to embed vocabularies loaded from files directly into the .keras model archive, making the archive self-contained and removing dependencies on external vocabulary files. The fix also includes a security check to prevent loading arbitrary files when safe_mode is enabled (Github PR).