CVE-2025-9906
HIGH7.3EPSS 0.06%Keras is vulnerable to Deserialization of Untrusted Data
Description
### Arbitrary Code Execution in Keras Keras versions prior to 3.11.0 allow for arbitrary code execution when loading a crafted `.keras` model archive, even when `safe_mode=True`. The issue arises because the archive’s `config.json` is parsed before layer deserialization. This can invoke `keras.config.enable_unsafe_deserialization()`, effectively disabling safe mode from within the loading process itself. An attacker can place this call first in the archive and then include a `Lambda` layer whose function is deserialized from a pickle, leading to the execution of attacker-controlled Python code as soon as a victim loads the model file. Exploitation requires a user to open an untrusted model; no additional privileges are needed. The fix in version 3.11.0 enforces safe-mode semantics *before* reading any user-controlled configuration and prevents the toggling of unsafe deserialization via the config file. **Affected versions:** < 3.11.0 **Patched version:** 3.11.0 It is recommended to upgrade to version 3.11.0 or later and to avoid opening untrusted model files.
Affected packages (3)
- Debian/kerasfrom 0
- PyPI/kerasfrom 0, < 3.11.0
- PyPI/keras
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-9906
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-9906
- PATCHhttps://github.com/keras-team/keras
- WEBhttps://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858
- WEBhttps://github.com/keras-team/keras/pull/21429
- WEBhttps://github.com/keras-team/keras/releases/tag/v3.11.0
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-76.yaml
- WEBhttps://osv.dev/vulnerability/CVE-2025-9906