CVE-2025-8747

unknown

Published 2025-08-12 · Modified 2026-05-19

CVSS v3

—

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

—

Description

A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-8747

OS impact

OS	Version	Status	Fixed in
debian	bullseye	fixed	`0`

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	keras	`>=3.0.0,<3.11.0`	`3.11.0`
PyPI	keras

References

https://github.com/keras-team/keras/security/advisories/GHSA-c9rc-mg46-23w3
https://nvd.nist.gov/vuln/detail/CVE-2025-8747
https://github.com/keras-team/keras/pull/21429
https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858
https://github.com/keras-team/keras
https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability
https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability/
https://security-tracker.debian.org/tracker/CVE-2025-8747

Verify integrity in audit chain (admin only). AS-IS.