pypi Keras 3.12.3
v3.12.3
on Python PyPI

3 hours ago

Keras 3.12.3 is a security patch release that hardens model saving, loading, and deserialization against a range of attack vectors.

HDF5 Hardening

  • Eject ExternalLink/SoftLink groups in KerasFileEditor (#22899)
    • Prevents HDF5 external/soft links from being exploited to read arbitrary files during model editing.
  • Reject ExternalLink/SoftLink on legacy .h5 dispatcher (#22900)
    • Extends HDF5 link rejection to the legacy load_weights path for .h5 files.
  • Reject HDF5 shape-bomb datasets (#22975)
    • Blocks HDF5 datasets that declare excessively large shapes to trigger out-of-memory crashes during load_model/load_weights.
  • Reject HDF5 virtual datasets in KerasFileEditor (#22976)
    • Prevents virtual dataset references from being used to access external files.

Archive Hardening

  • Reject hard-link tar members escaping extraction directory (#22973)
    • Blocks tar hard links whose target resolves outside the extraction root.
  • Reject decompression-bomb archive members (#23010)
    • Detects and rejects .keras archive members that declare far more data than is actually stored, preventing memory exhaustion.
  • Prevent symlink traversal during extraction (#23015)
    • Resolves paths with realpath to prevent symlink-based directory traversal attacks.
  • Reject npz weight bombs (#23016)
    • Validates npz weight members against shape/decompression bombs before allocating memory.
  • Validate DiskIOStore asset paths (#23017)
    • Ensures asset paths stay within the working directory during model saving/loading.
  • Use filter="data" in TarFile.extractall (#23108)
    • Applies Python's built-in tar extraction safety filter on supported versions.

Deserialization Safety

  • Fix insecure deserialization in dataset utilities (#23026)
    • Closes an insecure deserialization path in dataset utility functions.
  • Explicitly disable pickle in np.load (#23034)
    • Prevents pickle execution when loading NumPy weight files.
  • Make Lambda/TorchModuleWrapper from_config fail closed (#23048)
    • When safe_mode is unset, Lambda and TorchModuleWrapper deserialization now fails closed instead of silently allowing arbitrary code execution.
  • Restrict reloadable APIs (#23115)
    • Expands the list of APIs that should not be part of a deserialized model.

Full Changelog: v3.12.2...v3.12.3

Check out latest releases or
releases around Keras 3.12.3

Don't miss a new Keras release

NewReleases is sending notifications on new releases.

Get notifications