Blackduck vulnerability reported in all the versions of Keras #20795
Assignees
Labels
stat:awaiting response from contributor
stat:contributions welcome
A pull request to fix this issue would be welcome.
type:Bug
Comments
mehtamansi29
added
type:Bug
keras-team-review-pending
|
Hi, we investigated this issue briefly. However, this looks like a vulnerability between Palo Alto Networks Firewalls. We don't have any affiliation with these services, so are not quite sure why Keras would trigger this warning. Can you provide some more information about why that might be and/or check for false positives? |
VarunS1997
added
stat:contributions welcome
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In Blackduck scan ,Keras package is reported as vulnerable with CVE ID =BDSA-2025-0107. can you please let us know in which release this fix will be given and when is the release date.
Issue description:
Keras is vulnerable to arbitrary file write due to a flaw in the get_file function. This could allow an attacker to write arbitrary files to the user's machine by downloading a crafted tar file.
The text was updated successfully, but these errors were encountered: