CVE-2026-12482 in Kerasinfo

Summary

by MITRE • 07/14/2026

A vulnerability in keras-team/keras version 3.12.0 allows an attacker to craft a malicious tar archive that bypasses the `filter_safe_tarinfos` validation in `keras/src/utils/file_utils.py`. Specifically, symlink entries are not subjected to the same `is_path_in_dir` validation as regular file entries, allowing symlinks to be created outside the intended extraction directory. This can lead to symlink-based file read, file overwrite, or directory escape attacks. The issue is particularly impactful on Python 3.10 and 3.11, where `filter_safe_tarinfos` is the sole defense against tar path traversal. This vulnerability is distinct from CVE-2025-12060 and other previously reported issues.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability exists within the keras machine learning framework version 3.12.0 and represents a critical path traversal flaw in the archive extraction mechanism that can be exploited to execute arbitrary file operations on affected systems. The issue stems from an incomplete implementation of the `filter_safe_tarinfos` validation function located in `keras/src/utils/file_utils.py`, which is designed to prevent malicious tar archive extraction behaviors. The vulnerability specifically targets the handling of symbolic link entries within tar archives, creating a security gap where symlinks bypass the same validation checks that protect regular file entries.

The technical flaw manifests when the system processes tar archives containing symbolic links that point outside the intended extraction directory. While regular files are properly validated against the `is_path_in_dir` function to ensure they remain within the designated target folder, symbolic link entries are exempt from this crucial security check. This inconsistency allows attackers to craft malicious tar archives with carefully constructed symlinks that can point to sensitive system locations or create symbolic references that enable path traversal attacks. The vulnerability operates at the archive processing layer where Python's tarfile module handles decompression operations, making it particularly dangerous in environments where untrusted archives are processed automatically.

The operational impact of this vulnerability is severe and multifaceted, affecting systems that utilize keras for model loading or data processing workflows where external archives might be downloaded and extracted. Attackers can leverage this flaw to perform file read operations by creating symbolic links that point to sensitive files like configuration data, credentials, or system binaries, thereby enabling information disclosure. Additionally, the vulnerability supports file overwrite attacks where malicious symlinks can be used to redirect extraction operations to overwrite critical system files or user data. Directory escape scenarios are also possible, allowing attackers to create symbolic links that break out of intended containment boundaries and potentially compromise the entire system's integrity.

This vulnerability is particularly dangerous on Python 3.10 and 3.11 environments where `filter_safe_tarinfos` serves as the primary defense mechanism against path traversal attacks in the archive extraction process. The absence of proper symlink validation creates a critical gap that cannot be mitigated by other security measures within the system, making it a singleton vulnerability that requires immediate attention. The flaw is categorized under CWE-22 Path Traversal and aligns with ATT&CK technique T1059 Command and Scripting Interpreter for potential exploitation methods. Unlike CVE-2025-12060 and other previously reported issues, this vulnerability specifically targets the symbolic link handling mechanism rather than general archive parsing or validation flaws.

Organizations using keras version 3.12.0 should implement immediate mitigations including upgrading to a patched version of the framework, implementing additional input validation for all external archive processing, and restricting automatic extraction of untrusted archives in production environments. System administrators should also consider implementing network-level controls to prevent download and execution of potentially malicious archives, while developers should ensure that any custom archive handling code includes comprehensive validation for all file types within archives including symbolic links. The vulnerability highlights the importance of thorough security testing for archive processing functions and demonstrates how seemingly minor implementation gaps can create significant security risks in widely used frameworks.

Responsible

@huntr Ai

Reservation

06/17/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!