CVE-2025-9905

19.09.2025, 09:15

The Keras Model.load_modelmethod can be exploited to achieve arbitrary code execution, even with safe_mode=True.

One can create a specially crafted .h5/.hdf5model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.

This is achieved by crafting a special .h5archive file that uses the Lambdalayer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=Trueoption is not honored when reading .h5archives.

Note that the .h5/.hdf5format is a legacy format supported by Keras 3 for backwards compatibility.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Google	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-913 - Improper Control of Dynamically-Managed Code Resources
The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

References

https://github.com/keras-team/keras/pull/21602

https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv