CVE-2025-9906
BaseFortify
Publication date: 2025-09-19
Last updated on: 2025-09-23
Assigner: Google Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keras | keras | From 3.0.0 (inc) to 3.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on the system loading the malicious Keras model. This means an attacker could run any code they want, potentially leading to system compromise, data theft, or disruption of services.
Can you explain this vulnerability to me?
This vulnerability involves the Keras Model.load_model method, which can be exploited to execute arbitrary code even when safe_mode=True. An attacker can create a specially crafted .keras model archive containing a config.json file that disables safe mode by invoking keras.config.enable_unsafe_deserialization(). After safe mode is disabled, the attacker can use the Lambda layer feature in Keras, which allows arbitrary Python code via pickled code, to execute malicious code when the model is loaded.