CVE-2025-8747: 
Python vulnerability analysis and mitigation

A safe mode bypass vulnerability (CVE-2025-8747) was discovered in the Model.load_model method in Keras versions 3.0.0 through 3.10.0. The vulnerability allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted .keras model archive (NVD, JFrog Blog).

The vulnerability exists in the deserialization mechanism of Keras models, specifically in the handling of Lambda layers. Even with safemode enabled, attackers can exploit the deserialization process through the Keras Functional API to execute arbitrary functions. Prior to version 3.9, attackers could reference functions from any module available for import. After version 3.9, while external module access was restricted, the vulnerability could still be exploited using internal Keras functions like keras.utils.get_file. The vulnerability has received a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, [JFrog Blog](https://jfrog.com/blog/keras-safemode-bypass-vulnerability/)).

The vulnerability allows attackers to achieve arbitrary code execution on the victim's system. This can lead to various malicious activities, including downloading and executing malicious files, accessing sensitive system resources, and potentially gaining full system access. For example, attackers could exploit the vulnerability to download malicious files to arbitrary locations on the victim's file system (JFrog Blog).

The issue was partially addressed in Keras version 3.9 by restricting function loading to only the Keras module namespace. However, this fix is incomplete as certain internal Keras functions can still be exploited. A complete fix was implemented in version 3.11.0. Users are advised to upgrade to the latest version of Keras and implement proper sandboxing and security scanning of untrusted ML models (GitHub PR, JFrog Blog).