In Blackduck scan ,Keras package is reported as vulnerable with CVE ID =BDSA-2025-0107. can you please let us know in which release this fix will be given and when is the release date.
Issue description: Keras is vulnerable to arbitrary file write due to a flaw in the get_file function. This could allow an attacker to write arbitrary files to the user's machine by downloading a crafted tar file.
Comment From: VarunS1997
Hi, we investigated this issue briefly. However, this looks like a vulnerability between Palo Alto Networks Firewalls. We don't have any affiliation with these services, so are not quite sure why Keras would trigger this warning. Can you provide some more information about why that might be and/or check for false positives?
Comment From: github-actions[bot]
This issue is stale because it has been open for 14 days with no activity. It will be closed if no further activity occurs. Thank you.
Comment From: github-actions[bot]
This issue was closed because it has been inactive for 28 days. Please reopen if you'd like to work on this further.
Comment From: frnz123
@VarunS1997 :In the vulnerability description it says there is issue/flaw in get_file function. So if we are using this function then it will be vulnerable
