Keras Archive Extraction Path Traversal

CWD-Relative Validation Bypass in filter_safe_tarinfos / filter_safe_zipinfos Enables Arbitrary File Write in AI Pipelines

Keras versions prior to 3.14.0 contain a path traversal flaw in keras/src/utils/file_utils.py where filter_safe_tarinfos() and filter_safe_zipinfos() validate archive member paths against the process current working directory rather than the actual extraction destination. In Docker containers, CI/CD runners, and Jupyter notebooks where CWD is /, the validation boundary becomes the filesystem root — making every traversal path appear safe. A secondary bug causes the ZIP filter to crash silently on blocked entries. An attacker who controls the model archive delivered via keras.utils.get_file() can write files anywhere on the container filesystem. Fixed in Keras 3.14.0.