CVE-2025-49655: 
Python vulnerability analysis and mitigation

A critical deserialization vulnerability (CVE-2025-49655) was discovered in the Keras framework versions 3.11.0 through 3.11.2. The vulnerability allows deserialization of untrusted data, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to execute arbitrary code on an end user's system when loaded, even with safe mode enabled. The vulnerability was discovered in October 2025 and affects both local and remote file loading capabilities (NVD, HiddenLayer).

The vulnerability exists in the TorchModuleWrapper class's fromconfig method, which uses torch.load() with weightsonly=False parameter. This implementation causes Torch to utilize Python's pickle module for deserialization, which is known to be unsafe. The vulnerability allows attackers to craft malicious payloads that can execute arbitrary commands during the deserialization process. The issue has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and is categorized as CWE-502: Deserialization of Untrusted Data (HiddenLayer).

The vulnerability enables attackers to execute arbitrary code on the target system when a malicious Keras model file is loaded. This can occur even when safe mode is enabled, affecting both local file loading and remote model loading through 'hf:' links. The impact is particularly severe as it requires no special privileges and can be triggered through normal model loading operations (HiddenLayer).

The vulnerability has been patched in version 3.11.3 of the Keras framework. The fix involves disabling torch.load in TorchModuleWrapper when in safe mode and implementing proper validation of deserialized data. Users are strongly advised to upgrade to version 3.11.3 or later to protect against this vulnerability (GitHub PR).

The vulnerability was responsibly disclosed to the Keras team on July 30, 2025, with the vendor acknowledging receipt on August 1, 2025. A fix was published on August 13, 2025, followed by public disclosure on October 17, 2025. The security community has emphasized the severity of the vulnerability due to its potential for remote code execution (HiddenLayer).