{"id":70515,"date":"2025-09-19T13:31:48","date_gmt":"2025-09-19T10:01:48","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-9906-arbitrary-code-execution-in-keras-safe-mode\/"},"modified":"2025-09-19T13:31:48","modified_gmt":"2025-09-19T10:01:48","slug":"cve-2025-9906-arbitrary-code-execution-in-keras-safe-mode","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-9906-arbitrary-code-execution-in-keras-safe-mode\/","title":{"rendered":"CVE-2025-9906 &#8211; Arbitrary Code execution in Keras Safe Mode"},"content":{"rendered":"<p><strong>CVE ID : <\/strong>CVE-2025-9906<br \/>\n<br \/>\n<strong>Published : <\/strong> 19. September 2025 08:15 | 48\u00a0Minuten ago<br \/>\n<br \/>\n<strong>Description : <\/strong>The Keras Model.load_model\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True.<\/p>\n<p>One can create a specially crafted .keras\u00a0model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json\u00a0(a file within the .keras\u00a0archive) that will invoke keras.config.enable_unsafe_deserialization()\u00a0to disable safe mode. Once safe mode is disable, one can use the Lambda\u00a0layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization()\u00a0needs to appear first in the archive and the Lambda\u00a0with arbitrary code needs to be second.<br \/>\n<br \/>\n<strong>Severity:<\/strong> 8.6 | HIGH<br \/>\n<br \/>\nVisit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-9906 Published : 19. September 2025 08:15 | 48\u00a0Minuten ago Description : The Keras Model.load_model\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .keras\u00a0model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-70515","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/70515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=70515"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/70515\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=70515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=70515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=70515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}