CVE-2025-8747

Name of the Vulnerable Software and Affected Versions: Keras versions 3.0.0 through 3.10.0

Description: A safe mode bypass vulnerability exists in the Model.load model method. This allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted .keras model archive. The vulnerability bypasses the intended protection of the safe mode flag, which is designed to prevent the deserialization of unsafe lambda objects. This bypass is possible by reusing internal Keras functions, such as keras.utils.get file, to download remote files to a location controlled by the attacker, potentially leading to arbitrary file overwrites and, in many cases, remote code execution. The vulnerability is exploitable on the default configuration and does not require user input beyond loading an untrusted model.

Recommendations: Keras versions prior to 3.0.0 are not affected. Keras version 3.0.0 through 3.10.0 are affected. As a temporary workaround, avoid loading .keras models from untrusted sources.