CVE-2025-8747: Keras vulnerable to CVE-2025-1550 bypass via reuse of internal functionality
It is possible to bypass the mitigation introduced in response to CVE-2025-1550, when an untrusted Keras v3 model is loaded, even when “safe_mode” is enabled, by crafting malicious arguments to built-in Keras modules.
The vulnerability is exploitable on the default configuration and does not depend on user input (just requires an untrusted model to be loaded).
References
- github.com/advisories/GHSA-c9rc-mg46-23w3
- github.com/keras-team/keras
- github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858
- github.com/keras-team/keras/pull/21429
- github.com/keras-team/keras/security/advisories/GHSA-c9rc-mg46-23w3
- jfrog.com/blog/keras-safe_mode-bypass-vulnerability
- nvd.nist.gov/vuln/detail/CVE-2025-8747
Code Behaviors & Features
Detect and mitigate CVE-2025-8747 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →