{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-9906", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2025-09-03T07:27:23.895Z", "datePublished": "2025-09-19T08:15:04.349Z", "dateUpdated": "2025-09-19T11:51:44.222Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Keras", "repo": "https://github.com/keras-team/keras", "vendor": "Keras-team", "versions": [{"lessThan": "3.11.0", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Gabriele Digregorio"}], "datePublic": "2025-06-29T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The Keras <code>Model.load_model</code>&nbsp;method can be exploited to achieve arbitrary code execution, even with <code>safe_mode=True</code>.</p><p>One can create a specially crafted <code>.keras</code>&nbsp;model archive that, when loaded via <code>Model.load_model</code>, will trigger arbitrary code to be executed. This is achieved by crafting a special <code>config.json</code>&nbsp;(a file within the <code>.keras</code>&nbsp;archive) that will invoke <code>keras.config.enable_unsafe_deserialization()</code>&nbsp;to disable safe mode. Once safe mode is disable, one can use the <code>Lambda</code>&nbsp;layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the <code>keras.config.enable_unsafe_deserialization()</code>&nbsp;needs to appear first in the archive and the <code>Lambda</code>&nbsp;with arbitrary code needs to be second.</p><br>"}], "value": "The Keras Model.load_model\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\n\nOne can create a specially crafted .keras\u00a0model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json\u00a0(a file within the .keras\u00a0archive) that will invoke keras.config.enable_unsafe_deserialization()\u00a0to disable safe mode. Once safe mode is disable, one can use the Lambda\u00a0layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization()\u00a0needs to appear first in the archive and the Lambda\u00a0with arbitrary code needs to be second."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.6, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2025-09-19T08:15:04.349Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/keras-team/keras/pull/21429"}], "source": {"discovery": "EXTERNAL"}, "title": "Arbitrary Code execution in Keras Safe Mode", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-19T11:49:12.992944Z", "id": "CVE-2025-9906", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-19T11:51:44.222Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9906", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-19T11:49:12.992944Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-19T11:51:40.833Z"}}], "cna": {"title": "Arbitrary Code execution in Keras Safe Mode", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Gabriele Digregorio"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 8.6, "Automatable": "YES", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/keras-team/keras", "vendor": "Keras-team", "product": "Keras", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.11.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2025-06-29T09:00:00.000Z", "references": [{"url": "https://github.com/keras-team/keras/pull/21429", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The Keras Model.load_model\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\n\nOne can create a specially crafted .keras\u00a0model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json\u00a0(a file within the .keras\u00a0archive) that will invoke keras.config.enable_unsafe_deserialization()\u00a0to disable safe mode. Once safe mode is disable, one can use the Lambda\u00a0layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization()\u00a0needs to appear first in the archive and the Lambda\u00a0with arbitrary code needs to be second.", "supportingMedia": [{"type": "text/html", "value": "<p>The Keras <code>Model.load_model</code>&nbsp;method can be exploited to achieve arbitrary code execution, even with <code>safe_mode=True</code>.</p><p>One can create a specially crafted <code>.keras</code>&nbsp;model archive that, when loaded via <code>Model.load_model</code>, will trigger arbitrary code to be executed. This is achieved by crafting a special <code>config.json</code>&nbsp;(a file within the <code>.keras</code>&nbsp;archive) that will invoke <code>keras.config.enable_unsafe_deserialization()</code>&nbsp;to disable safe mode. Once safe mode is disable, one can use the <code>Lambda</code>&nbsp;layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the <code>keras.config.enable_unsafe_deserialization()</code>&nbsp;needs to appear first in the archive and the <code>Lambda</code>&nbsp;with arbitrary code needs to be second.</p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2025-09-19T08:15:04.349Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9906", "state": "PUBLISHED", "dateUpdated": "2025-09-19T11:51:44.222Z", "dateReserved": "2025-09-03T07:27:23.895Z", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "datePublished": "2025-09-19T08:15:04.349Z", "assignerShortName": "Google"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Keras Model.load_model\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\n\nOne can create a specially crafted .keras\u00a0model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json\u00a0(a file within the .keras\u00a0archive) that will invoke keras.config.enable_unsafe_deserialization()\u00a0to disable safe mode. Once safe mode is disable, one can use the Lambda\u00a0layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization()\u00a0needs to appear first in the archive and the Lambda\u00a0with arbitrary code needs to be second."}], "id": "CVE-2025-9906", "lastModified": "2025-09-19T09:15:36.353", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2025-09-19T09:15:36.353", "references": [{"source": "cve-coordination@google.com", "url": "https://github.com/keras-team/keras/pull/21429"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{}