CVE-2025-9905: 
Python vulnerability analysis and mitigation

The Keras Model.loadmodel method contains a critical vulnerability (CVE-2025-9905) that allows arbitrary code execution, even when safemode=True is enabled. The vulnerability affects the legacy .h5/.hdf5 model format in Keras 3, where a specially crafted model archive can trigger arbitrary code execution when loaded. The issue was discovered and disclosed on September 19, 2025, affecting Keras versions 3.0.0 to 3.11.2 (GitHub Advisory).

The vulnerability stems from the fact that the safe_mode=True parameter is silently ignored when loading .h5/.hdf5 files in Keras. An attacker can craft a special .h5 archive file that uses the Lambda layer feature of Keras to embed arbitrary Python code in the form of pickled code. The vulnerability has been assigned a CVSS v4.0 score of 7.3 (High) with the vector string CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. The issue is tracked as CWE-913 (Improper Control of Dynamically-Managed Code Resources) (NVD, GitHub Advisory).

When exploited, this vulnerability allows attackers to execute arbitrary code with the same privileges as the Keras application. The attack can be triggered simply by loading a malicious model file, requiring no further interaction. This makes it particularly dangerous in scenarios where models are shared or downloaded from untrusted sources, such as public model repositories or in federated learning environments (GitHub Advisory).

The vulnerability has been patched in Keras version 3.11.3. Users are strongly advised to upgrade to this version or later. The .h5/.hdf5 format is considered legacy and is only supported for backwards compatibility in Keras 3. Users should consider migrating to the newer .keras format which properly implements the safe_mode security feature (GitHub Advisory).