Compliance Impact

This vulnerability allows attackers to perform arbitrary file writes outside the intended extraction directory by exploiting path traversal issues during archive extraction. Such unauthorized file modifications can lead to overwriting configuration files, injecting malicious code, or corrupting datasets and pipelines.

While the provided context does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to overwrite or inject malicious files could potentially lead to unauthorized access or alteration of sensitive data, which may violate data protection and security requirements mandated by these regulations.

Useful 0 Not Useful 0

Executive Summary

Keras versions prior to 3.14.0 have a path traversal vulnerability in their archive extraction utilities located in the file_utils.py module. The functions responsible for validating archive member paths check these paths against the process's current working directory (CWD) instead of the actual extraction destination. When the CWD is set to the root directory ("/"), which is common in environments like Docker containers, CI/CD runners, and Jupyter notebooks, this validation allows malicious archive entries to escape the intended extraction folder.

Additionally, the zip filter has a bug that causes an AttributeError when a blocked entry is encountered, resulting in incomplete extraction. Python 3.11 installations lack an additional safety filter, making them fully dependent on this flawed CWD-based validation. Exploiting this vulnerability enables attackers to write files arbitrarily outside the intended extraction directory.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to write files outside the intended extraction directory, potentially overwriting important configuration files, injecting malicious code, or corrupting machine learning datasets and pipelines. Such unauthorized file writes can compromise the integrity and security of your system or application.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying usage of vulnerable Keras versions prior to 3.14.0 that perform archive extraction using the affected functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` in `keras/src/utils/file_utils.py`.

Since the vulnerability arises when the current working directory (CWD) is set to root ("/"), which is common in Docker containers, CI/CD runners, and Jupyter environments, you can check for processes running Keras in such environments.

To detect exploitation attempts or presence of the vulnerability, you can:

• Check the Keras version installed: `pip show keras` or `pip list | grep keras`
• Inspect running containers or environments where Keras is used and verify if their working directory is set to root (`/`). For example, in Docker: `docker inspect <container_id> | grep WorkingDir`
• Monitor file system changes outside expected extraction directories, especially unexpected writes to configuration files or code files.
• Look for Python errors related to `AttributeError` during zip extraction which may indicate the zip filter bug being triggered.

There are no specific commands provided in the resources for direct detection of exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Keras to version 3.14.0 or later, where the vulnerability has been fixed.

The fix involves updating the `filter_safe_zipinfos` and `filter_safe_tarinfos` functions to resolve paths relative to the actual extraction destination folder instead of the current working directory, preventing path traversal.

Additionally, avoid running processes that extract archives with Keras from a root (`/`) current working directory, especially in Docker containers, CI/CD runners, or Jupyter environments.

If upgrading immediately is not possible, consider isolating or sandboxing the extraction process to limit potential damage from arbitrary file writes.

Useful 0 Not Useful 0