CVE-2025-49655 — Keras framework vulnerable to deserialization of untrusted data

Description

Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.

How to fix CVE-2025-49655

To remediate CVE-2025-49655, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 3.11.3 or later

Is CVE-2025-49655 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
>= 3.11.0, < 3.11.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-49655
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-49655
PATCHgithub.com/keras-team/keras
WEBgithub.com/keras-team/keras/pull/21575
WEB