{"id":"CVE-2025-49655","details":"Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.","aliases":["GHSA-cvhh-q5g5-qprp"],"modified":"2026-04-10T05:29:01.142763Z","published":"2025-10-17T16:15:37.420Z","references":[{"type":"WEB","url":"https://hiddenlayer.com/sai_security_advisor/2025-10-keras/"},{"type":"FIX","url":"https://github.com/keras-team/keras/pull/21575"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"both"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49655.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}