Overview
CVE-2025-12638 identifies a critical path traversal vulnerability affecting Keras version 3.11.3. This flaw resides within the keras.utils.get_file() function, specifically during the extraction of tar archives. Due to insufficient security measures during extraction, malicious actors can potentially write files outside the intended extraction directory, leading to system compromise.
Technical Details
The vulnerability stems from the usage of Python’s tarfile.extractall() method in keras.utils.get_file() without employing the crucial filter='data' parameter. While Keras attempts to mitigate risks using the filter_safe_paths() function, a critical race condition exists. The filtering happens before the extraction, and a PATH_MAX symlink resolution bug is triggered during the extraction process. This bug causes symlink resolution to fail due to exceeding path length limits, effectively bypassing the intended security controls. The result is the ability to write files to arbitrary locations on the file system, exceeding the bounds of the cache directory.
In simpler terms, if a specially crafted tar archive containing malicious symlinks is processed using keras.utils.get_file(), these symlinks can trick the extraction process into writing files to locations outside the intended Keras cache directory. This allows an attacker to potentially overwrite critical system files or inject malicious code.
CVSS Analysis
Currently, the CVSS score for CVE-2025-12638 is listed as N/A. However, given the potential for arbitrary file writes and system compromise, a high severity score is anticipated upon formal analysis. The impact is significant as successful exploitation could lead to complete system compromise, including data theft, malware installation, and denial-of-service attacks.
Possible Impact
The successful exploitation of CVE-2025-12638 can have severe consequences:
- Arbitrary File Write: Attackers can write files to any location on the system, potentially overwriting critical system files.
- Code Execution: Malicious code can be injected into system directories, leading to arbitrary code execution.
- System Compromise: The entire system could be compromised, granting attackers full control.
- Data Theft: Sensitive data can be stolen from the compromised system.
- Denial of Service: System functionality can be disrupted, leading to a denial-of-service condition.
Mitigation or Patch Steps
The primary mitigation strategy is to upgrade Keras to a version that addresses this vulnerability. It is highly recommended to:
- Upgrade Keras: Upgrade to the latest version of Keras as soon as a patched version is released. Check the Keras official website and changelog for the fix announcement.
- Verify Tar Archives: Before using
keras.utils.get_file()with a tar archive, ensure the source of the archive is trusted and that the archive itself has been verified for integrity. - Implement Workarounds (Temporary): If an immediate upgrade is not possible, consider implementing temporary workarounds such as manually inspecting the contents of tar archives before using
keras.utils.get_file(), although this is not a reliable long-term solution.
Check the official Keras documentation and security advisories for specific instructions and patch availability.