Keras 3.13.2 on Python PyPI

Security Fixes & Hardening

This release introduces critical security hardening for model loading and saving, alongside improvements to the JAX backend metadata handling.

Disallow TFSMLayer deserialization in safe_mode (#22035)
- Previously, TFSMLayer could load external TensorFlow SavedModels during deserialization without respecting Keras safe_mode. This could allow the execution of attacker-controlled graphs during model invocation.
- TFSMLayer now enforces safe_mode by default. Deserialization via from_config() will raise a ValueError unless safe_mode=False is explicitly passed or keras.config.enable_unsafe_deserialization() is called.
Fix Denial of Service (DoS) in KerasFileEditor (#21880)
- Introduces validation for HDF5 dataset metadata to prevent "shape bomb" attacks.
- Hardens the .keras file editor against malicious metadata that could cause dimension overflows or unbounded memory allocation (unbounded numpy allocation of multi-gigabyte tensors).
Block External Links in HDF5 files (#22057)
- Keras now explicitly disallows external links within HDF5 files during loading. This prevents potential security risks where a weight file could point to external system datasets.
- Includes improved verification for H5 Groups and Datasets to ensure they are local and valid.

Set mutable=True by default in nnx_metadata (#22074)
- Updated the JAX backend logic to ensure that variables are treated as mutable by default in nnx_metadata.
- This makes Keras 3.13.2 compatible with Flax 0.12.3 when the Keras NNX integration is enabled.

Improved H5IOStore Integrity (#22057)
- Refactored H5IOStore and ShardedH5IOStore to remove unused, unverified methods.
- Fixed key-ordering logic in sharded HDF5 stores to ensure consistent state loading across different environments.

We would like to thank the following contributors for their security reports and code improvements:
@0xManan, @HyperPS, @hertschuh, and @divyashreepathihalli.

Full Changelog: v3.13.1...v3.13.2