Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-9906

Good to know:

icon
icon

Date: September 19, 2025

The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json (a file within the .keras archive) that will invoke keras.config.enable_unsafe_deserialization() to disable safe mode. Once safe mode is disable, one can use the Lambda layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization() needs to appear first in the archive and the Lambda with arbitrary code needs to be second.

Severity Score

Related Resources (7)

https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858
https://github.com/keras-team/keras
https://nvd.nist.gov/vuln/detail/CVE-2025-9906
https://osv.dev/vulnerability/CVE-2025-9906
https://github.com/keras-team/keras/releases/tag/v3.11.0
https://github.com/keras-team/keras/pull/21429
https://www.mend.io/vulnerability-database/CVE-2025-9906

Severity Score

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

icon

Upgrade Version

Upgrade to version keras - 3.11.0;https://github.com/keras-team/keras.git - v3.11.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us