CVE-2025-1550

unknown

Published 2025-03-11 · Modified 2026-05-20

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

1.0

Description

The Keras Model.load_model function permits arbitrary code execution, even with safe_mode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading.

Predictions

Exploit likelihood

65%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-1550

Exploits

Exploit-DB

EDB-52359 · remote · python

OS impact

OS	Version	Status	Fixed in
debian	bullseye	fixed	`0`

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	keras	`>=3.0.0,<3.9.0`	`3.9.0`
PyPI	keras	`>=3.0.0,<3.8.0`	`3.8.0`

References

https://github.com/keras-team/keras/security/advisories/GHSA-48g7-3x6r-xfhp
https://nvd.nist.gov/vuln/detail/CVE-2025-1550
https://github.com/keras-team/keras/pull/20751
https://github.com/keras-team/keras/commit/e67ac8ffd0c883bec68eb65bb52340c7f9d3a903
https://github.com/keras-team/keras
https://github.com/keras-team/keras/releases/tag/v3.9.0
https://towerofhanoi.it/writeups/cve-2025-1550/
https://security-tracker.debian.org/tracker/CVE-2025-1550

Verify integrity in audit chain (admin only). AS-IS.