Home > Vulnerability Database > CVE-2025-9905

Mend.io Vulnerability Database

CVE-2025-9905

Good to know:

Date: September 19, 2025

The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special .h5 archive file that uses the Lambda layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True option is not honored when reading .h5 archives. Note that the .h5/.hdf5 format is a legacy format supported by Keras 3 for backwards compatibility.

Severity Score

7.5

Related Resources (5)

Url: https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv

Url: https://github.com/keras-team/keras

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-9905

Url: https://github.com/keras-team/keras/pull/21602

Url: https://www.mend.io/vulnerability-database/CVE-2025-9905

Severity Score

7.5

Weakness Type (CWE)

Improper Control of Dynamically-Managed Code Resources

CWE-913

Top Fix

Upgrade Version

Upgrade to version keras - 3.11.3;https://github.com/keras-team/keras.git - v3.11.3

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-9905

Good to know:

Date: September 19, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?