CVE-2026-12479: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in keras-team keras-team/keras
A path traversal vulnerability exists in keras-team/keras version 3.14.0, specifically in the `DiskIOStore.make` method within the Keras 3 model saving and loading library. This vulnerability arises from the improper handling of user-provided layer names, which are used to construct directory paths without sanitizing for parent directory components (`..`). While forward slashes (`/`) are restricted in layer names, directory traversal sequences are not. This allows an attacker to craft a malicious Keras model that, when saved or loaded, can escape the intended temporary working directory and perform unauthorized file system operations, such as creating directories or writing files in arbitrary locations.
AI Analysis
Technical Summary
This vulnerability in keras-team/keras 3.14.0 arises from the DiskIOStore.make method's failure to properly sanitize layer names used in directory path construction. Although forward slashes are restricted, directory traversal components like '..' are not filtered, permitting attackers to craft malicious model files that cause the software to write or create files outside the designated temporary working directory. This improper limitation of pathname to a restricted directory (CWE-22) can lead to unauthorized file system access during model save or load operations.
Potential Impact
An attacker who can supply or influence layer names in a Keras model can exploit this vulnerability to perform unauthorized file system operations, including creating directories or writing files outside the intended temporary directory. This may lead to partial compromise of confidentiality, integrity, and availability of the system where the model is processed. The CVSS 3.0 score of 6.1 reflects a medium severity with local attack vector, low attack complexity, no privileges required, user interaction required, scope change, and low impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid loading or saving untrusted Keras models that may contain malicious layer names. Monitor vendor communications for updates regarding patches or official mitigations.
CVE-2026-12479: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in keras-team keras-team/keras
Description
A path traversal vulnerability exists in keras-team/keras version 3.14.0, specifically in the `DiskIOStore.make` method within the Keras 3 model saving and loading library. This vulnerability arises from the improper handling of user-provided layer names, which are used to construct directory paths without sanitizing for parent directory components (`..`). While forward slashes (`/`) are restricted in layer names, directory traversal sequences are not. This allows an attacker to craft a malicious Keras model that, when saved or loaded, can escape the intended temporary working directory and perform unauthorized file system operations, such as creating directories or writing files in arbitrary locations.
CVSS v3.0
Score 6.1medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in keras-team/keras 3.14.0 arises from the DiskIOStore.make method's failure to properly sanitize layer names used in directory path construction. Although forward slashes are restricted, directory traversal components like '..' are not filtered, permitting attackers to craft malicious model files that cause the software to write or create files outside the designated temporary working directory. This improper limitation of pathname to a restricted directory (CWE-22) can lead to unauthorized file system access during model save or load operations.
Potential Impact
An attacker who can supply or influence layer names in a Keras model can exploit this vulnerability to perform unauthorized file system operations, including creating directories or writing files outside the intended temporary directory. This may lead to partial compromise of confidentiality, integrity, and availability of the system where the model is processed. The CVSS 3.0 score of 6.1 reflects a medium severity with local attack vector, low attack complexity, no privileges required, user interaction required, scope change, and low impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid loading or saving untrusted Keras models that may contain malicious layer names. Monitor vendor communications for updates regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2026-06-17T00:28:44.653Z
- Cvss Version
- 3.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a395729eed863c81e0537d6
Added to database: 06/22/2026, 15:39:21 UTC
Last enriched: 06/22/2026, 16:09:53 UTC
Last updated: 06/22/2026, 18:56:58 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.