CVE-2026-12481 PUBLISHED

Deserialization of Untrusted Data in keras-team/keras

Assigner: @huntr_ai
Reserved: 17.06.2026 Published: 03.07.2026 Updated: 03.07.2026

A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the Lambda layer. Specifically, the _raise_for_lambda_deserialization() function fails to enforce the safe-mode guard when safe_mode is set to None, which is the default value when from_config() is called outside of a SafeModeScope context. This logic error conflates None (unset/default-deny) with False (explicitly disabled), bypassing the guard and allowing attacker-controlled marshal bytecode to be deserialized. Affected call sites include keras.layers.deserialize(config), keras.models.clone_model(model), and any direct invocation of Lambda.from_config(config) without an enclosing SafeModeScope(True). This vulnerability can be exploited to achieve arbitrary OS-level code execution in the context of the server or user process.

Metrics

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Product Status

Vendor keras-team
Product keras-team/keras
Versions
  • affected from unspecified to latest (incl.)

References

Problem Types

  • CWE-502 Deserialization of Untrusted Data CWE