CVE-2025-12058: 
Python vulnerability analysis and mitigation

The Keras.Model.loadmodel method contains a vulnerability (CVE-2025-12058) that affects the handling of StringLookup layer during model loading, even when using the intended security mitigation safemode=True. The vulnerability was discovered and disclosed on October 29, 2025, affecting Keras versions prior to 3.12.0. This security issue impacts systems using Keras for machine learning model operations, particularly those loading models with StringLookup layers (NVD, Miggo).

The vulnerability stems from improper handling of the vocabulary parameter in the IndexLookup layer, which is the parent class for StringLookup and IntegerLookup layers. The constructor for the StringLookup layer accepts a vocabulary argument that can specify either a local file path or a remote file path. The CVSS v4.0 score is 5.9 (Medium) with vector string CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) (NVD, Miggo).

The vulnerability has two main impact vectors: Arbitrary Local File Read, where an attacker can create a malicious .keras file that embeds a local path in the StringLookup layer's configuration, allowing access to arbitrary local files on the hosting system; and Server-Side Request Forgery (SSRF), where the tf.io.gfile support for remote filesystem handlers can be exploited to fetch content from arbitrary network endpoints (NVD).

The vulnerability has been patched in Keras version 3.12.0. The fix includes adding a security check in the setvocabulary method that prevents loading arbitrary files when safemode is enabled. Users are advised to upgrade to this version or later. The patch addresses the issue by raising a ValueError if it's asked to load a vocabulary from an external file path when safe_mode is enabled (Miggo).