Vulnerability-Lookup

RHSA-2026:4271

Vulnerability from csaf_redhat - Published: 2026-03-11 09:02 - Updated: 2026-03-13 12:47

Summary

Red Hat Security Advisory: RHTAS 1.3.2 - Tech Preview Release of Model Transparency

Notes

Topic

The Tech Preview release of the RHTAS Model Transparency CLI image. For more details please visit the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3

Details

The RHTAS Model Transparency CLI image can be used to sign and verify AI/ML workloads

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "The Tech Preview release of the RHTAS Model Transparency CLI image.\nFor more details please visit the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The RHTAS Model Transparency CLI image can be used to sign and verify AI/ML workloads",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:4271",
        "url": "https://access.redhat.com/errata/RHSA-2026:4271"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-12638",
        "url": "https://access.redhat.com/security/cve/CVE-2025-12638"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-66418",
        "url": "https://access.redhat.com/security/cve/CVE-2025-66418"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-66471",
        "url": "https://access.redhat.com/security/cve/CVE-2025-66471"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-0897",
        "url": "https://access.redhat.com/security/cve/CVE-2026-0897"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-21441",
        "url": "https://access.redhat.com/security/cve/CVE-2026-21441"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-24049",
        "url": "https://access.redhat.com/security/cve/CVE-2026-24049"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_4271.json"
      }
    ],
    "title": "Red Hat Security Advisory: RHTAS 1.3.2 - Tech Preview Release of Model Transparency",
    "tracking": {
      "current_release_date": "2026-03-13T12:47:30+00:00",
      "generator": {
        "date": "2026-03-13T12:47:30+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.3"
        }
      },
      "id": "RHSA-2026:4271",
      "initial_release_date": "2026-03-11T09:02:58+00:00",
      "revision_history": [
        {
          "date": "2026-03-11T09:02:58+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-03-11T09:03:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-13T12:47:30+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Trusted Artifact Signer 1.3",
                "product": {
                  "name": "Red Hat Trusted Artifact Signer 1.3",
                  "product_id": "Red Hat Trusted Artifact Signer 1.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Trusted Artifact Signer"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
                "product": {
                  "name": "registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
                  "product_id": "registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/model-transparency-rhel9@sha256%3A13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf?arch=amd64\u0026repository_url=registry.redhat.io/rhtas\u0026tag=1772614635"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64",
                "product": {
                  "name": "registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64",
                  "product_id": "registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/model-transparency-rhel9@sha256%3A190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea?arch=arm64\u0026repository_url=registry.redhat.io/rhtas\u0026tag=1772614635"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64 as a component of Red Hat Trusted Artifact Signer 1.3",
          "product_id": "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64"
        },
        "product_reference": "registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
        "relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64 as a component of Red Hat Trusted Artifact Signer 1.3",
          "product_id": "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
        },
        "product_reference": "registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64",
        "relates_to_product_reference": "Red Hat Trusted Artifact Signer 1.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-12638",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2025-11-28T15:01:10.693633+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2417711"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A path traversal flaw has been discovered in Keras. The vulnerability arises because the function uses Python\u0027s tarfile.extractall() method without the security-critical filter=\u0027data\u0027 parameter. Although Keras attempts to filter unsafe paths using filter_safe_paths(), this filtering occurs before extraction, and a PATH_MAX symlink resolution bug triggers during extraction. This bug causes symlink resolution to fail due to path length limits, resulting in a security bypass that allows files to be written outside the intended extraction directory.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keras: Path Traversal Vulnerability in keras",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-12638"
        },
        {
          "category": "external",
          "summary": "RHBZ#2417711",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417711"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-12638",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-12638"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12638",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12638"
        },
        {
          "category": "external",
          "summary": "https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951",
          "url": "https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e951"
        },
        {
          "category": "external",
          "summary": "https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4",
          "url": "https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4"
        }
      ],
      "release_date": "2025-11-28T14:06:02.069000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-11T09:02:58+00:00",
          "details": "The Model Transparency CLI Image is a containerized command-line tool for signing and verifying AI/ML workloads against a private Red Hat Trusted Artifact Signer (RHTAS) instance. It lets teams create signatures and attestations for model artifacts and validate them at build or deploy time using enterprise trust material (e.g., Fulcio/Rekor).\n\nFor details on using the Model Transparency CLI image, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4271"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "keras: Path Traversal Vulnerability in keras"
    },
    {
      "cve": "CVE-2025-66418",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2025-12-05T17:01:20.277857+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2419455"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain causes the client system to consume a virtually unbounded amount of CPU resources and memory. The high resource usage leads to service disruption, making the application unresponsive.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-66418"
        },
        {
          "category": "external",
          "summary": "RHBZ#2419455",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419455"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-66418",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-66418"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66418",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66418"
        },
        {
          "category": "external",
          "summary": "https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8",
          "url": "https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8"
        },
        {
          "category": "external",
          "summary": "https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53",
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53"
        }
      ],
      "release_date": "2025-12-05T16:02:15.271000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-11T09:02:58+00:00",
          "details": "The Model Transparency CLI Image is a containerized command-line tool for signing and verifying AI/ML workloads against a private Red Hat Trusted Artifact Signer (RHTAS) instance. It lets teams create signatures and attestations for model artifacts and validate them at build or deploy time using enterprise trust material (e.g., Fulcio/Rekor).\n\nFor details on using the Model Transparency CLI image, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4271"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion"
    },
    {
      "cve": "CVE-2025-66471",
      "cwe": {
        "id": "CWE-409",
        "name": "Improper Handling of Highly Compressed Data (Data Amplification)"
      },
      "discovery_date": "2025-12-05T17:02:21.597728+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2419467"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A decompression handling flaw has been discovered in urllib3. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "urllib3: urllib3 Streaming API improperly handles highly compressed data",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-66471"
        },
        {
          "category": "external",
          "summary": "RHBZ#2419467",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419467"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-66471",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-66471"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66471",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66471"
        },
        {
          "category": "external",
          "summary": "https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7",
          "url": "https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7"
        },
        {
          "category": "external",
          "summary": "https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37",
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37"
        }
      ],
      "release_date": "2025-12-05T16:06:08.531000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-11T09:02:58+00:00",
          "details": "The Model Transparency CLI Image is a containerized command-line tool for signing and verifying AI/ML workloads against a private Red Hat Trusted Artifact Signer (RHTAS) instance. It lets teams create signatures and attestations for model artifacts and validate them at build or deploy time using enterprise trust material (e.g., Fulcio/Rekor).\n\nFor details on using the Model Transparency CLI image, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4271"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "urllib3: urllib3 Streaming API improperly handles highly compressed data"
    },
    {
      "cve": "CVE-2026-0897",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-01-15T16:01:16.399378+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2430027"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Keras. A remote attacker can cause a Denial of Service (DoS) by providing a specially crafted .keras archive containing a model weights file (model.weights.h5) that declares an extremely large data shape. This can lead to excessive memory allocation, resulting in memory exhaustion and a crash of the Python interpreter.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Keras: Keras: Denial of Service via crafted HDF5 weight loading file",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated Important for Red Hat OpenShift AI. A remote attacker can cause a Denial of Service (DoS) by providing a crafted `.keras` archive with an excessively large dataset shape, leading to memory exhaustion. This impacts Red Hat OpenShift AI components that utilize Keras for model handling.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-0897"
        },
        {
          "category": "external",
          "summary": "RHBZ#2430027",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430027"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-0897",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-0897"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-0897",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0897"
        },
        {
          "category": "external",
          "summary": "https://github.com/keras-team/keras/pull/21880",
          "url": "https://github.com/keras-team/keras/pull/21880"
        }
      ],
      "release_date": "2026-01-15T14:09:53.603000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-11T09:02:58+00:00",
          "details": "The Model Transparency CLI Image is a containerized command-line tool for signing and verifying AI/ML workloads against a private Red Hat Trusted Artifact Signer (RHTAS) instance. It lets teams create signatures and attestations for model artifacts and validate them at build or deploy time using enterprise trust material (e.g., Fulcio/Rekor).\n\nFor details on using the Model Transparency CLI image, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4271"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, avoid loading Keras model archives from untrusted sources. If processing untrusted Keras model archives is unavoidable, ensure they are processed within an isolated and resource-constrained environment to limit the impact of potential memory exhaustion attacks.",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Keras: Keras: Denial of Service via crafted HDF5 weight loading file"
    },
    {
      "cve": "CVE-2026-21441",
      "cwe": {
        "id": "CWE-409",
        "name": "Improper Handling of Highly Compressed Data (Data Amplification)"
      },
      "discovery_date": "2026-01-07T23:01:59.422078+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2427726"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "urllib3 is an HTTP client library for Python. urllib3\u0027s streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-21441"
        },
        {
          "category": "external",
          "summary": "RHBZ#2427726",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427726"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-21441",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-21441"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21441",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21441"
        },
        {
          "category": "external",
          "summary": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b",
          "url": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"
        },
        {
          "category": "external",
          "summary": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99",
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99"
        }
      ],
      "release_date": "2026-01-07T22:09:01.936000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-11T09:02:58+00:00",
          "details": "The Model Transparency CLI Image is a containerized command-line tool for signing and verifying AI/ML workloads against a private Red Hat Trusted Artifact Signer (RHTAS) instance. It lets teams create signatures and attestations for model artifacts and validate them at build or deploy time using enterprise trust material (e.g., Fulcio/Rekor).\n\nFor details on using the Model Transparency CLI image, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4271"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)"
    },
    {
      "cve": "CVE-2026-24049",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2026-01-22T05:00:54.709179+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2431959"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A path traversal flaw has been discovered in the python wheel too. The unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
          "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-24049"
        },
        {
          "category": "external",
          "summary": "RHBZ#2431959",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431959"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-24049",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-24049"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-24049",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24049"
        },
        {
          "category": "external",
          "summary": "https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef",
          "url": "https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef"
        },
        {
          "category": "external",
          "summary": "https://github.com/pypa/wheel/releases/tag/0.46.2",
          "url": "https://github.com/pypa/wheel/releases/tag/0.46.2"
        },
        {
          "category": "external",
          "summary": "https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx",
          "url": "https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx"
        }
      ],
      "release_date": "2026-01-22T04:02:08.706000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-11T09:02:58+00:00",
          "details": "The Model Transparency CLI Image is a containerized command-line tool for signing and verifying AI/ML workloads against a private Red Hat Trusted Artifact Signer (RHTAS) instance. It lets teams create signatures and attestations for model artifacts and validate them at build or deploy time using enterprise trust material (e.g., Fulcio/Rekor).\n\nFor details on using the Model Transparency CLI image, refer to the product documentation at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3\n\nYou can find the release notes for this version of Red Hat Trusted Artifact Signer at https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.3/html-single/release_notes/index",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4271"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:13dcb5d7ce1ce6190cea3493196eae507134d78a0e13cf6ebb148678c54943cf_amd64",
            "Red Hat Trusted Artifact Signer 1.3:registry.redhat.io/rhtas/model-transparency-rhel9@sha256:190019292f10046a4ba9a56b253bc3e9c78e11cb969ea52fca3b5e90c21746ea_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking"
    }
  ]
}

CVE-2025-12638 (GCVE-0-2025-12638)

Vulnerability from cvelistv5 – Published: 2025-11-28 14:06 – Updated: 2025-11-28 15:08

Title

Path Traversal Vulnerability in keras-team/keras via Tar Archive Extraction in keras.utils.get_file()

Summary

Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. The vulnerability arises because the function uses Python's tarfile.extractall() method without the security-critical filter='data' parameter. Although Keras attempts to filter unsafe paths using filter_safe_paths(), this filtering occurs before extraction, and a PATH_MAX symlink resolution bug triggers during extraction. This bug causes symlink resolution to fail due to path length limits, resulting in a security bypass that allows files to be written outside the intended extraction directory. This can lead to arbitrary file writes outside the cache directory, enabling potential system compromise or malicious code execution. The vulnerability affects Keras installations that process tar archives with get_file() and does not affect versions where this extraction method is secured with the appropriate filter parameter.

Severity ?

8 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

@huntr_ai

References

URL

Tags

https://huntr.com/bounties/f94f5beb-54d8-4e6a-8ba…

Impacted products

	Vendor	Product	Version
	keras-team	keras-team/keras	Affected: unspecified , ≤ latest (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12638",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-28T15:07:39.652123Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-28T15:08:13.714Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keras-team/keras",
          "vendor": "keras-team",
          "versions": [
            {
              "lessThanOrEqual": "latest",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. The vulnerability arises because the function uses Python\u0027s tarfile.extractall() method without the security-critical filter=\u0027data\u0027 parameter. Although Keras attempts to filter unsafe paths using filter_safe_paths(), this filtering occurs before extraction, and a PATH_MAX symlink resolution bug triggers during extraction. This bug causes symlink resolution to fail due to path length limits, resulting in a security bypass that allows files to be written outside the intended extraction directory. This can lead to arbitrary file writes outside the cache directory, enabling potential system compromise or malicious code execution. The vulnerability affects Keras installations that process tar archives with get_file() and does not affect versions where this extraction method is secured with the appropriate filter parameter."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-28T14:06:02.069Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4"
        }
      ],
      "source": {
        "advisory": "f94f5beb-54d8-4e6a-8bac-86d9aee103f4",
        "discovery": "EXTERNAL"
      },
      "title": "Path Traversal Vulnerability in keras-team/keras via Tar Archive Extraction in keras.utils.get_file()"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2025-12638",
    "datePublished": "2025-11-28T14:06:02.069Z",
    "dateReserved": "2025-11-03T17:43:47.102Z",
    "dateUpdated": "2025-11-28T15:08:13.714Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66471 (GCVE-0-2025-66471)

Vulnerability from cvelistv5 – Published: 2025-12-05 16:06 – Updated: 2025-12-05 19:33

Title

urllib3 Streaming API improperly handles highly compressed data

Summary

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.

Severity ?

8.9 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/urllib3/urllib3/security/advis…	x_refsource_CONFIRM
	https://github.com/urllib3/urllib3/commit/c19571d…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	urllib3	urllib3	Affected: >= 1.0, < 2.6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66471",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-05T19:32:57.089218Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-05T19:33:14.832Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "urllib3",
          "vendor": "urllib3",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0, \u003c 2.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3\u0027s streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-409",
              "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-05T16:06:08.531Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37"
        },
        {
          "name": "https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7"
        }
      ],
      "source": {
        "advisory": "GHSA-2xpw-w6gg-jr37",
        "discovery": "UNKNOWN"
      },
      "title": "urllib3 Streaming API improperly handles highly compressed data"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66471",
    "datePublished": "2025-12-05T16:06:08.531Z",
    "dateReserved": "2025-12-02T15:43:16.586Z",
    "dateUpdated": "2025-12-05T19:33:14.832Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66418 (GCVE-0-2025-66418)

Vulnerability from cvelistv5 – Published: 2025-12-05 16:02 – Updated: 2025-12-05 18:15

Title

urllib3 allows an unbounded number of links in the decompression chain

Summary

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

Severity ?

8.9 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

URL

Tags

	https://github.com/urllib3/urllib3/security/advis…	x_refsource_CONFIRM
	https://github.com/urllib3/urllib3/commit/24d7b67…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	urllib3	urllib3	Affected: >= 1.24, < 2.6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66418",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-05T16:15:39.701596Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-05T16:16:08.790Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "urllib3",
          "vendor": "urllib3",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.24, \u003c 2.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-05T18:15:28.505Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53"
        },
        {
          "name": "https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8"
        }
      ],
      "source": {
        "advisory": "GHSA-gm62-xv2j-4w53",
        "discovery": "UNKNOWN"
      },
      "title": "urllib3 allows an unbounded number of links in the decompression chain"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66418",
    "datePublished": "2025-12-05T16:02:15.271Z",
    "dateReserved": "2025-11-28T23:33:56.367Z",
    "dateUpdated": "2025-12-05T18:15:28.505Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-0897 (GCVE-0-2026-0897)

Vulnerability from cvelistv5 – Published: 2026-01-15 14:09 – Updated: 2026-01-15 16:38

Title

Denial of Service in Keras via Excessive Memory Allocation in HDF5 Metadata

Summary

Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.

Severity ?

7.1 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

Google

References

URL

Tags

https://github.com/keras-team/keras/pull/21880

Impacted products

	Vendor	Product	Version
	Google	Keras	Affected: 3.0.0 , ≤ 3.13.0 (semver)

Credits

Sarvesh Patil

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0897",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-15T16:31:40.866475Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-15T16:38:18.772Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Keras",
          "vendor": "Google",
          "versions": [
            {
              "lessThanOrEqual": "3.13.0",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Sarvesh Patil"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Allocation of Resources Without Limits or Throttling \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein \u003c/span\u003ethe HDF5 weight loading component\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein \u003c/span\u003eGoogle\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003eKeras\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e3.0.0 through 3.13.0\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eon \u003c/span\u003eall platforms\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;allows \u003c/span\u003ea remote attacker\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;to \u003c/span\u003ecause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003evia \u003c/span\u003ea crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component\u00a0in Google\u00a0Keras\u00a03.0.0 through 3.13.0\u00a0on all platforms\u00a0allows a remote attacker\u00a0to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter\u00a0via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-197",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-197 Exponential Data Expansion"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-15T14:09:53.603Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://github.com/keras-team/keras/pull/21880"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Denial of Service in Keras via Excessive Memory Allocation in HDF5 Metadata",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2026-0897",
    "datePublished": "2026-01-15T14:09:53.603Z",
    "dateReserved": "2026-01-13T15:59:54.703Z",
    "dateUpdated": "2026-01-15T16:38:18.772Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21441 (GCVE-0-2026-21441)

Vulnerability from cvelistv5 – Published: 2026-01-07 22:09 – Updated: 2026-01-23 09:07

Title

urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

Summary

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

Severity ?

8.9 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/urllib3/urllib3/security/advis…	x_refsource_CONFIRM
	https://github.com/urllib3/urllib3/commit/8864ac4…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	urllib3	urllib3	Affected: >= 1.22, < 2.6.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21441",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-08T20:08:04.959214Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-08T20:08:22.320Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-23T09:07:22.785Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "urllib3",
          "vendor": "urllib3",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.22, \u003c 2.6.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "urllib3 is an HTTP client library for Python. urllib3\u0027s streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-409",
              "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-07T22:13:57.482Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99"
        },
        {
          "name": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"
        }
      ],
      "source": {
        "advisory": "GHSA-38jv-5279-wg99",
        "discovery": "UNKNOWN"
      },
      "title": "urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-21441",
    "datePublished": "2026-01-07T22:09:01.936Z",
    "dateReserved": "2025-12-29T03:00:29.276Z",
    "dateUpdated": "2026-01-23T09:07:22.785Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24049 (GCVE-0-2026-24049)

Vulnerability from cvelistv5 – Published: 2026-01-22 04:02 – Updated: 2026-01-27 14:58

Title

wheel Allows Arbitrary File Permission Modification via Path Traversal

Summary

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-732 - Incorrect Permission Assignment for Critical Resource

Assigner

GitHub_M

References

URL

Tags

	https://github.com/pypa/wheel/security/advisories…	x_refsource_CONFIRM
	https://github.com/pypa/wheel/commit/7a7d2de96b22…	x_refsource_MISC
	https://github.com/pypa/wheel/releases/tag/0.46.2	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	pypa	wheel	Affected: >= 0.40.0, < 0.46.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24049",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-22T12:24:28.930262Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-27T14:58:36.933Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wheel",
          "vendor": "pypa",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.40.0, \u003c 0.46.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-23T17:45:05.244Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx"
        },
        {
          "name": "https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef"
        },
        {
          "name": "https://github.com/pypa/wheel/releases/tag/0.46.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pypa/wheel/releases/tag/0.46.2"
        }
      ],
      "source": {
        "advisory": "GHSA-8rrh-rw8j-w5fx",
        "discovery": "UNKNOWN"
      },
      "title": "wheel Allows Arbitrary File Permission Modification via Path Traversal"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24049",
    "datePublished": "2026-01-22T04:02:08.706Z",
    "dateReserved": "2026-01-20T22:30:11.778Z",
    "dateUpdated": "2026-01-27T14:58:36.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:4271

CVE-2025-12638 (GCVE-0-2025-12638)

CVE-2025-66471 (GCVE-0-2025-66471)

CVE-2025-66418 (GCVE-0-2025-66418)

CVE-2026-0897 (GCVE-0-2026-0897)

CVE-2026-21441 (GCVE-0-2026-21441)

CVE-2026-24049 (GCVE-0-2026-24049)

Tags

Sightings

Nomenclature