CVE-2025-9905

19.09.2025, 09:15

The Keras Model.load_modelmethod can be exploited to achieve arbitrary code execution, even with safe_mode=True.

One can create a specially crafted .h5/.hdf5model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.

This is achieved by crafting a special .h5archive file that uses the Lambdalayer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=Trueoption is not honored when reading .h5archives.

Note that the .h5/.hdf5format is a legacy format supported by Keras 3 for backwards compatibility.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.3 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Google	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Vendor	Product	Version
keras	keras	3.0.0 ≤ 𝑥 < 3.11.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

keras

bullseye

vulnerable

Known Exploits!

https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv

Common Weakness Enumeration

CWE-913 - Improper Control of Dynamically-Managed Code Resources
The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

References

https://github.com/keras-team/keras/pull/21602

https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv