CVE-2025-12638: Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extractin
highvulnerability
security
Summary
Keras version 3.11.3 has a path traversal vulnerability (a security flaw where attackers can write files outside the intended directory) in the keras.utils.get_file() function when extracting tar archives (compressed file formats). The function fails to properly validate file paths during extraction, allowing an attacker to write files anywhere on the system, potentially compromising it or executing malicious code.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityavailability
Affected Vendors
HuggingFace
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-12638
First tracked: February 15, 2026 at 08:42 PM
Classified by LLM (prompt v3) · confidence: 92%