CVE-2025-9905

unknown

Published 2025-09-19 · Modified 2026-05-20

CVSS v3

—

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

—

Description

The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special .h5 archive file that uses the Lambda layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True option is not honored when reading .h5 archives. Note that the .h5/.hdf5 format is a legacy format supported by Keras 3 for backwards compatibility.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-9905

OS impact

OS	Version	Status	Fixed in
debian	bullseye	affected

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	keras	`>=3.0.0,<3.11.3`	`3.11.3`

References

Verify integrity in audit chain (admin only). AS-IS.