csaf_microsoft - msrc_cve-2025-12058

MSRC_CVE-2025-12058

Vulnerability from csaf_microsoft - Published: 2025-10-02 00:00 - Updated: 2025-10-31 01:03

Summary

Vulnerability in Keras Model.load_model Leading to Arbitrary Local File Loading and SSRF

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2025-12058 Vulnerability in Keras Model.load_model Leading to Arbitrary Local File Loading and SSRF - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-12058.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Vulnerability in Keras Model.load_model Leading to Arbitrary Local File Loading and SSRF",
    "tracking": {
      "current_release_date": "2025-10-31T01:03:15.000Z",
      "generator": {
        "date": "2025-11-04T20:08:19.286Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2025-12058",
      "initial_release_date": "2025-10-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-10-31T01:03:15.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 keras 3.3.3-4",
                "product": {
                  "name": "azl3 keras 3.3.3-4",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version_range",
                "name": "cbl2 keras 2.11.0-3",
                "product": {
                  "name": "cbl2 keras 2.11.0-3",
                  "product_id": "2"
                }
              }
            ],
            "category": "product_name",
            "name": "keras"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 keras 3.3.3-4 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 keras 2.11.0-3 as a component of CBL Mariner 2.0",
          "product_id": "17086-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17086"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-12058",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "general",
          "text": "Google",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_affected": [
          "17084-1",
          "17086-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-12058 Vulnerability in Keras Model.load_model Leading to Arbitrary Local File Loading and SSRF - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-12058.json"
        }
      ],
      "remediations": [
        {
          "category": "none_available",
          "date": "2025-10-31T01:03:15.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-1"
          ]
        },
        {
          "category": "none_available",
          "date": "2025-10-31T01:03:15.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17086-2"
          ]
        }
      ],
      "title": "Vulnerability in Keras Model.load_model Leading to Arbitrary Local File Loading and SSRF"
    }
  ]
}

CVE-2025-12058 (GCVE-0-2025-12058)

Vulnerability from cvelistv5 – Published: 2025-10-29 08:48 – Updated: 2025-10-29 14:11

Summary

The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF). This vulnerability stems from the way the StringLookup layer is handled during model loading from a specially crafted .keras archive. The constructor for the StringLookup layer accepts a vocabulary argument that can specify a local file path or a remote file path. * Arbitrary Local File Read: An attacker can create a malicious .keras file that embeds a local path in the StringLookup layer's configuration. When the model is loaded, Keras will attempt to read the content of the specified local file and incorporate it into the model state (e.g., retrievable via get_vocabulary()), allowing an attacker to read arbitrary local files on the hosting system. * Server-Side Request Forgery (SSRF): Keras utilizes tf.io.gfile for file operations. Since tf.io.gfile supports remote filesystem handlers (such as GCS and HDFS) and HTTP/HTTPS protocols, the same mechanism can be leveraged to fetch content from arbitrary network endpoints on the server's behalf, resulting in an SSRF condition. The security issue is that the feature allowing external path loading was not properly restricted by the safe_mode=True flag, which was intended to prevent such unintended data access.

Severity ?

5.9 (Medium)


                        
                          CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

Google

References

URL

Tags

	https://github.com/keras-team/keras/security/advi…
	https://github.com/keras-team/keras/pull/21751

Impacted products

	Vendor	Product	Version
	Keras	Keras	Affected: 0 , < 3.12.0 (date)

Credits

Jayashwa Singh Chauhan

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12058",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-29T14:07:04.803189Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-29T14:11:03.027Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Keras",
          "vendor": "Keras",
          "versions": [
            {
              "lessThan": "3.12.0",
              "status": "affected",
              "version": "0",
              "versionType": "date"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:keras:keras:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.12.0",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jayashwa Singh Chauhan"
        }
      ],
      "datePublic": "2025-10-17T22:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe \u003cb\u003e\u003ccode\u003eKeras.Model.load_model\u003c/code\u003e\u003c/b\u003e method, including when executed with the intended security mitigation \u003cb\u003e\u003ccode\u003esafe_mode=True\u003c/code\u003e\u003c/b\u003e, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF).\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis vulnerability stems from the way the \u003cb\u003e\u003ccode\u003eStringLookup\u003c/code\u003e\u003c/b\u003e layer is handled during model loading from a specially crafted \u003cb\u003e\u003ccode\u003e.keras\u003c/code\u003e\u003c/b\u003e archive. The constructor for the \u003ccode\u003eStringLookup\u003c/code\u003e layer accepts a \u003ccode\u003evocabulary\u003c/code\u003e argument that can specify a \u003cb\u003elocal file path\u003c/b\u003e or a \u003cb\u003eremote file path\u003c/b\u003e.\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003e\u003cb\u003eArbitrary Local File Read:\u003c/b\u003e An attacker can create a malicious \u003ccode\u003e.keras\u003c/code\u003e file that embeds a local path in the \u003ccode\u003eStringLookup\u003c/code\u003e layer\u0027s configuration. When the model is loaded, Keras will attempt to read the content of the specified local file and incorporate it into the model state (e.g., retrievable via \u003ccode\u003eget_vocabulary()\u003c/code\u003e), allowing an attacker to \u003cb\u003eread arbitrary local files\u003c/b\u003e on the hosting system.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cb\u003eServer-Side Request Forgery (SSRF):\u003c/b\u003e Keras utilizes \u003cb\u003e\u003ccode\u003etf.io.gfile\u003c/code\u003e\u003c/b\u003e for file operations. Since \u003ccode\u003etf.io.gfile\u003c/code\u003e supports remote filesystem handlers (such as GCS and HDFS) and HTTP/HTTPS protocols, the same mechanism can be leveraged to fetch content from \u003cb\u003earbitrary network endpoints\u003c/b\u003e on the server\u0027s behalf, resulting in an SSRF condition.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThe security issue is that the feature allowing external path loading was \u003cb\u003enot properly restricted\u003c/b\u003e by the \u003ccode\u003esafe_mode=True\u003c/code\u003e flag, which was intended to prevent such unintended data access.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery (SSRF).\n\n\nThis vulnerability stems from the way the StringLookup layer is handled during model loading from a specially crafted .keras archive. The constructor for the StringLookup layer accepts a vocabulary argument that can specify a local file path or a remote file path.\n\n  *  Arbitrary Local File Read: An attacker can create a malicious .keras file that embeds a local path in the StringLookup layer\u0027s configuration. When the model is loaded, Keras will attempt to read the content of the specified local file and incorporate it into the model state (e.g., retrievable via get_vocabulary()), allowing an attacker to read arbitrary local files on the hosting system.\n\n\n  *  Server-Side Request Forgery (SSRF): Keras utilizes tf.io.gfile for file operations. Since tf.io.gfile supports remote filesystem handlers (such as GCS and HDFS) and HTTP/HTTPS protocols, the same mechanism can be leveraged to fetch content from arbitrary network endpoints on the server\u0027s behalf, resulting in an SSRF condition.\n\n\nThe security issue is that the feature allowing external path loading was not properly restricted by the safe_mode=True flag, which was intended to prevent such unintended data access."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-221",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-221 Data Serialization External Entities Blowup"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "ADJACENT",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T08:48:29.689Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://github.com/keras-team/keras/security/advisories/GHSA-qg93-c7p6-gg7f"
        },
        {
          "url": "https://github.com/keras-team/keras/pull/21751"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Vulnerability in Keras Model.load_model Leading to Arbitrary Local File Loading and SSRF",
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2025-12058",
    "datePublished": "2025-10-29T08:48:29.689Z",
    "dateReserved": "2025-10-22T07:39:21.715Z",
    "dateUpdated": "2025-10-29T14:11:03.027Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

MSRC_CVE-2025-12058

CVE-2025-12058 (GCVE-0-2025-12058)

Tags

Sightings

Nomenclature