vulnerability oin moon-dev-ai-agents project

While working on moon-dev-ai-agents project, I found a vulnerability in Keras [(CVE-2025-12060)](
https://vulert.com/vuln-db/CVE-2025-12060). The keras.utils.get_file API is vulnerable to path traversal when extract=True is used with malicious tar archives. Because it relies on tarfile.extractall without the filter="data" option, attackers can craft tar files with special symlinks that allow writing files outside the intended directory, leading to arbitrary file write on the filesystem.

[CVE Link](https://vulert.com/vuln-db/CVE-2025-12060)
[CVE Report](https://vulert.com/vuln-scan/list/95663db7-dc14-4543-bf16-40a6fe46dc1f?sort_order=desc&sort_by=created_at&perPage=all)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

vulnerability oin moon-dev-ai-agents project #36

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

vulnerability oin moon-dev-ai-agents project #36

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions