CVE-2025-9905

Name of the Vulnerable Software and Affected Versions Keras (affected versions not specified)

Description The Model.load model method can be exploited to achieve arbitrary code execution, even when safe mode is enabled. This is possible by creating a specially crafted .h5 or .hdf5 model archive that, when loaded, triggers the execution of arbitrary code. The vulnerability stems from the fact that the safe mode=True option is not honored when reading .h5 archives. The issue involves the Lambda layer feature of Keras, which allows arbitrary Python code in the form of pickled code to be included within the model archive.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.