CVE-2025-49655: 
Python vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-49655) was discovered in the Keras framework affecting versions 3.11.0 through 3.11.2. The vulnerability allows deserialization of untrusted data, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to execute arbitrary code on an end user's system when loaded, even with safe mode enabled. The vulnerability was disclosed on October 17, 2025, and received a CVSS score of 9.8 (Critical) (NVD, HiddenLayer).

The vulnerability exists in the TorchModuleWrapper class's fromconfig method, which uses torch.load() with weightsonly=False parameter. This configuration causes Torch to fall back on Python's pickle module for deserialization, which is known to be unsafe. The vulnerability is tracked as CWE-502 (Deserialization of Untrusted Data) and can be triggered through both local and remote files. The issue affects systems using PyTorch as the backend (KERASBACKEND="torch"), while configurations using JAX, TensorFlow, or OpenVINO remain unaffected ([HiddenLayer](https://hiddenlayer.com/saisecurity_advisor/2025-10-keras/), Security Online).

The vulnerability allows attackers to execute arbitrary system commands on an end user's system by loading a maliciously crafted model file. The impact is particularly severe as it can be triggered even when Keras' safe mode is enabled. Attackers can embed malicious payloads into legitimate Keras model files (.keras) to deliver hidden payloads, making it a significant threat to ML supply chain security (Security Online).

The vulnerability has been patched in Keras version 3.11.3. Users are strongly advised to upgrade to this version or later. The fix involves adding a security check in the TorchModuleWrapper.fromconfig method that verifies if insafe_mode() flag is active and raises a ValueError if true, preventing the unsafe deserialization of torch.nn.Module objects (GitHub PR).