CVE-2025-9906

Name of the Vulnerable Software and Affected Versions Keras (affected versions not specified)

Description The Model.load model method is susceptible to arbitrary code execution, even when safe mode is enabled. A specially crafted .keras model archive containing a modified config.json file can trigger the execution of arbitrary code. The config.json file invokes keras.config.enable unsafe deserialization() to disable safe mode. Subsequently, a Lambda layer with arbitrary Python code, serialized using pickling, can be included within the same archive to achieve code execution.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.