keras-team/keras v3.12.1

on GitHub

Security Fixes & Hardening

This release introduces critical security hardening for model loading and saving, alongside improvements to the JAX backend metadata handling.

• Disallow TFSMLayer deserialization in safe_mode (#22035)

  • Previously, TFSMLayer could load external TensorFlow SavedModels during deserialization without respecting Keras safe_mode. This could allow the execution of attacker-controlled graphs during model invocation.
  • TFSMLayer now enforces safe_mode by default. Deserialization via from_config() will raise a ValueError unless safe_mode=False is explicitly passed or keras.config.enable_unsafe_deserialization() is called.

• Fix Denial of Service (DoS) in KerasFileEditor (#21880)

  • Introduces validation for HDF5 dataset metadata to prevent "shape bomb" attacks.
  • Hardens the .keras file editor against malicious metadata that could cause dimension overflows or unbounded memory allocation (unbounded numpy allocation of multi-gigabyte tensors).

• Block External Links in HDF5 files (#22057)

  • Keras now explicitly disallows external links within HDF5 files during loading. This prevents potential security risks where a weight file could point to external system datasets.
  • Includes improved verification for H5 Groups and Datasets to ensure they are local and valid.

Saving & Serialization

• Improved H5IOStore Integrity (#22057)
  • Refactored H5IOStore and ShardedH5IOStore to remove unused, unverified methods.
  • Fixed key-ordering logic in sharded HDF5 stores to ensure consistent state loading across different environments.

Acknowledgments

Special thanks to the security researchers and contributors who reported these vulnerabilities and helped implement the fixes: @0xManan, @HyperPS, and @hertschuh.

Full Changelog: v3.12.0...v3.12.1