CVE-2025-9905
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-19

Last updated on: 2025-09-23

Assigner: Google Inc.

Description
The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special .h5 archive file that uses the Lambda layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True option is not honored when reading .h5 archives. Note that the .h5/.hdf5 format is a legacy format supported by Keras 3 for backwards compatibility.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-19
Last Modified
2025-09-23
Generated
2026-05-27
AI Q&A
2025-09-19
EPSS Evaluated
2026-05-25
NVD
CVE-2025-9905
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
keras keras From 3.0.0 (inc) to 3.11.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the Keras Model.load_model method, which can be exploited to execute arbitrary code. An attacker can create a specially crafted .h5 or .hdf5 model archive that, when loaded using Model.load_model, triggers execution of malicious code. This happens because the Lambda layer feature in Keras allows embedding arbitrary Python code via pickling, and the safe_mode=True option intended to prevent this is not enforced when reading .h5 archives. The .h5/.hdf5 format is a legacy format supported for backward compatibility.


How can this vulnerability impact me? :

If exploited, this vulnerability can lead to arbitrary code execution on the system loading the malicious .h5 model file. This means an attacker could run any code they choose with the privileges of the user running the Keras load_model method, potentially leading to system compromise, data theft, or other malicious activities.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, avoid loading .h5/.hdf5 Keras model files from untrusted or unauthenticated sources, as the safe_mode=True option is not effective. Consider migrating to newer model formats supported by Keras 3 that do not use the vulnerable .h5/.hdf5 legacy format. Additionally, restrict permissions and access to systems that load such models to minimize risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart