Cyber Resilience

CVE-2025-12060

High

Published: 30 October 2025

Published
30 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0010 28.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12060 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Service (T1543.003); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain.

EU & UK References

Vulnerability details

The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utility uses Python's tarfile.extractall function without the filter="data" feature. A remote attacker can craft a malicious tar archive…

more

containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder. This vulnerability is linked to the underlying Python tarfile weakness, identified as CVE-2025-4517. Note that upgrading Python to one of the versions that fix CVE-2025-4517 (e.g. Python 3.13.4) is not enough. One additionally needs to upgrade Keras to a version with the fix (Keras 3.12).

CWE(s)

AI Security AnalysisAI

AI Category
Deep Learning Frameworks
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: keras

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1543.003 Windows Service Persistence
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.
T1034 Path Interception Persistence
**This technique has been deprecated.
T1053 Scheduled Task/Job Execution
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.
T1543 Create or Modify System Process Persistence
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.
T1546 Event Triggered Execution Privilege Escalation
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
T1547 Boot or Logon Autostart Execution Persistence
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
T1574 Hijack Execution Flow Stealth
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.
Why these techniques?

Path traversal via malicious symlinks in tar archives enables arbitrary file writes outside the target directory, facilitating modification of services, path interception, scheduled tasks/jobs, system processes, event-triggered execution, boot/logon autostart execution, and execution flow hijacking by placing malicious files in sensitive system locations.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References