Description

The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json (a file within the .keras archive) that will invoke keras.config.enable_unsafe_deserialization() to disable safe mode. Once safe mode is disable, one can use the Lambda layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization() needs to appear first in the archive and the Lambda with arbitrary code needs to be second.

INFO

Published Date :

2025-09-19T08:15:04.349Z

Last Modified :

2026-02-26T17:48:23.819Z

Source :

Google
AFFECTED PRODUCTS

The following products are affected by CVE-2025-9906 vulnerability.

Vendors Products
Keras
  • Keras
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-9906.

URL Resource
https://github.com/keras-team/keras/pull/21429 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-9906 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-9906 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact