From ae633913a81312976b51606b459914c8386ec80e Mon Sep 17 00:00:00 2001
From: Filippe <fspolti@redhat.com>
Date: Tue, 10 Jun 2025 10:59:49 -0300
Subject: [PATCH] Fix CVE-2025-1550

chore: Fix CVE-2025-1550: Arbitrary Code Execution via Crafted Keras Config for Model Loading

Signed-off-by: Filippe <fspolti@redhat.com>
---
 Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 9e91f9c2..1d8f739c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -168,7 +168,9 @@ RUN --mount=type=cache,target=/root/.cache/pip \
     # if not version is set, it will install the 3.11.0 version which, seems that does not have the h5py dependencies \
     # for arm yet.
     pip install h5py==3.10.0 && \
-    pip install tensorflow
+    # Install tensorflow 2.16 to enforce keras >3.9.0
+    # Fixes CVE-2025-1550
+    pip install tensorflow~=2.16
 
 USER ${USER}