Arbitrary Code Execution in Keras by TensorFlow
CVE-2025-9906

8.6HIGH

Key Information:

Vendor: Keras-team
Status: Keras
Vendor: CVE Published:; 19 September 2025

What is CVE-2025-9906?

The Keras framework, utilized for building and training deep learning models, has a significant vulnerability that allows attackers to execute arbitrary code through the Model.load_model method. This exploit emerges when a maliciously crafted .keras model archive is loaded, bypassing the safe mode protection. The attack leverages a specially configured config.json file within the archive to trigger keras.config.enable_unsafe_deserialization(), thereby disabling the safety measures. By taking advantage of the Lambda layer feature of Keras, attackers can embed arbitrary Python code using pickled objects within the same archive. This vulnerability poses a serious risk, enabling unauthorized actions and potentially compromising the integrity of applications utilizing affected versions of Keras.

Affected Version(s)

Keras 3.0.0 < 3.11.0

References

https://github.com/keras-team/keras/pull/21429

patch

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 19, 2025
Vulnerability Reserved
Sep 3, 2025

Credit

Gabriele Digregorio

Keras-team

What is CVE-2025-9906?

Affected Version(s)

References

CVSS V4

Timeline

Credit