CVE-2025-12638 is a path traversal vulnerability classified under CWE-22, found in the keras.utils.get_file() function of Keras version 3.11.3. The vulnerability stems from the use of Python's tarfile.extractall() method without the security-critical filter='data' parameter, which is designed to prevent extraction of files outside the intended directory. Although Keras attempts to pre-filter unsafe paths using filter_safe_paths(), this filtering occurs before extraction and does not account for a symlink resolution bug triggered by PATH_MAX path length limits during extraction. This bug causes the symlink resolution to fail, allowing an attacker to bypass the path filtering and write files arbitrarily outside the designated cache directory. Such arbitrary file writes can lead to overwriting critical system files or placing malicious executables, resulting in potential system compromise or remote code execution. The vulnerability requires that the attacker have local privileges and some user interaction to trigger the vulnerable code path, as it involves processing tar archives through get_file(). No known exploits are reported in the wild yet, but the high CVSS score (8.0) reflects the significant risk posed by this vulnerability. The issue affects Keras installations that handle tar archives with get_file() and do not have the secure extraction method implemented. Fixing this vulnerability involves updating Keras to versions that use the filter='data' parameter with tarfile.extractall() or applying patches that address the symlink resolution bug and improve path filtering. This vulnerability is particularly relevant for organizations using Keras in AI/ML workflows where tar archives are downloaded and extracted, as it can lead to severe security breaches if exploited.

For European organizations, this vulnerability presents a significant risk especially for those heavily invested in AI and machine learning projects using Keras. Successful exploitation can lead to arbitrary file writes outside the intended directories, potentially overwriting critical system files or injecting malicious code. This compromises system confidentiality, integrity, and availability, possibly resulting in full system compromise or lateral movement within networks. Organizations relying on automated model downloads or updates via keras.utils.get_file() are particularly vulnerable. The impact is heightened in environments where users have elevated privileges or where the cache directories have weak access controls. Given the high CVSS score and the ability to execute arbitrary code, this vulnerability could disrupt critical AI research, data processing pipelines, or production ML services. Additionally, regulatory compliance risks may arise if sensitive data or systems are compromised. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the threat remains substantial due to the ease of exploitation once local access is obtained.

1. Immediately update Keras to a version that includes the fix implementing the filter='data' parameter in tarfile.extractall(), or apply vendor-provided patches addressing the symlink resolution and path filtering issues. 2. If patching is not immediately possible, restrict permissions on Keras cache directories to prevent unauthorized write access and monitor these directories for unexpected file changes. 3. Implement strict user privilege management to limit local user permissions, reducing the risk of exploitation by non-privileged users. 4. Employ application whitelisting and integrity monitoring tools to detect and prevent unauthorized file modifications or execution of malicious code. 5. Review and harden the environment where Keras is deployed, ensuring that tar archives processed by get_file() come from trusted sources only. 6. Educate developers and data scientists about the risks of processing untrusted tar archives and encourage secure coding practices. 7. Monitor security advisories from Keras and related Python libraries for updates or additional mitigations. 8. Consider containerizing or sandboxing ML workloads to limit the impact of potential exploitation.