Security: Upgrade Keras to 3.8.0+ to fix CVE-2024-55459

[psaboia]

Security Vulnerability

CVE-2024-55459: Keras Path Traversal vulnerability

• Severity: Medium
• Affected versions: <= 3.7.0 (including our current 2.14.0)
• GHSA: GHSA-cjgq-5qmw-rcj6

Description

An issue in Keras allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the function.

Current Status

We are using Keras 2.14.0 which is vulnerable to this issue. Upgrading to Keras 3.8.0+ would fix this vulnerability but requires significant code changes and compatibility testing with TensorFlow 2.14.x.

Mitigation

Until we can upgrade to Keras 3.8.0+:

• DO NOT use with untrusted URLs
• If you must use it, add security measures to validate any downloaded files
• Only download files from trusted sources

Action Items

• Test compatibility with Keras 3.8.0+ and TensorFlow 2.15.0+
• Update codebase for Keras 3.x API changes
• Update dependencies once compatibility is confirmed

References

• NVD - CVE-2024-55459
• GitHub Advisory
• Vulnerability Details