{"data":{"id":"2f72e93a-6ea9-4681-aa18-201ddc7838f0","title":"GHSA-mgx6-5cf9-rr43: Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petabyte Allocation in KerasFileEditor)","summary":"Keras has a critical vulnerability in its model loader (KerasFileEditor) that allows attackers to cause a Denial of Service (DoS, where a system becomes unusable) by uploading malicious .keras files. An attacker can craft a small .keras file (100-400 KB) that declares an extremely large dataset shape in its HDF5 weight file (a binary format for storing weights in neural networks), but stores only a few bytes of actual data. When Keras loads this file, it attempts to allocate petabytes of RAM based on the declared shape, immediately crashing the system and killing any applications processing the model.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-mgx6-5cf9-rr43","publishedAt":"2026-05-06T23:09:37.000Z","cveId":"CVE-2026-0897","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["keras@>= 3.13.0, < 3.13.2 (fixed: 3.13.2)","keras@>= 3.0.0, <= 3.12.0 (fixed: 3.12.1)"],"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Keras","TensorFlow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.0003,"patchAvailable":true,"disclosureDate":"2026-05-06T23:09:37.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}