CVE-2025-9906: Keras is vulnerable to Deserialization of Untrusted Data
(updated )
Arbitrary Code Execution in Keras
Keras versions prior to 3.11.0 allow for arbitrary code execution when loading a crafted .keras model archive, even when safe_mode=True.
The issue arises because the archive’s config.json is parsed before layer deserialization. This can invoke keras.config.enable_unsafe_deserialization(), effectively disabling safe mode from within the loading process itself. An attacker can place this call first in the archive and then include a Lambda layer whose function is deserialized from a pickle, leading to the execution of attacker-controlled Python code as soon as a victim loads the model file.
Exploitation requires a user to open an untrusted model; no additional privileges are needed. The fix in version 3.11.0 enforces safe-mode semantics before reading any user-controlled configuration and prevents the toggling of unsafe deserialization via the config file.
Affected versions: < 3.11.0 Patched version: 3.11.0
It is recommended to upgrade to version 3.11.0 or later and to avoid opening untrusted model files.
References
- github.com/advisories/GHSA-36fq-jgmw-4r9c
- github.com/keras-team/keras
- github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858
- github.com/keras-team/keras/pull/21429
- github.com/keras-team/keras/releases/tag/v3.11.0
- nvd.nist.gov/vuln/detail/CVE-2025-9906
- osv.dev/vulnerability/CVE-2025-9906
Code Behaviors & Features
Detect and mitigate CVE-2025-9906 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →