{“lastseen”:””,”description”:”The Keras Model.load_model\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\\n\\nOne can create a specially crafted .keras\u00a0model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json\u00a0(a file within the .keras\u00a0archive) that will invoke keras.config.enable_unsafe_deserialization()\u00a0to disable safe mode. Once safe mode is disable, one can use the Lambda\u00a0layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization()\u00a0needs to appear first in the archive and the Lambda\u00a0with arbitrary code needs to be second.”,”published”:”2025-09-19T08:15:04.349Z”,”modified”:”2025-09-19T08:15:04.349Z”,”type”:”cve”,”title”:”Arbitrary Code execution in Keras Safe Mode”,”source”:”Google”,”references”:”https:\/\/github.com\/keras-team\/keras\/pull\/21429″,”id”:”CVE-2025-9906″,”bulletinFamily”:””,”cwe”:[“CWE-502″],”cvelist”:null,”sourceData”:”Keras-team Keras 3.0.0″,”sourceHref”:””,”cvss”:{“score”:8.6,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:L\/AC:L\/AT:N\/PR:L\/UI:P\/VC:H\/VI:H\/VA:H\/SC:H\/SI:H\/SA:H\/AU:Y\/R:A”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Keras”,”version”:”3.0.0″,”vendor”:”Keras-team”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”The Keras Model.load_model\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\\n\\nOne can create a specially crafted .keras\u00a0model archive that, when loaded via…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,81,12,15,13,7,11,5],"class_list":["post-18067","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-86","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n