CVE-2025-9906: 
Python vulnerability analysis and mitigation

The Keras Model.loadmodel method contains a critical vulnerability (CVE-2025-9906) that allows arbitrary code execution, even with safemode enabled. The vulnerability was discovered and disclosed on September 19, 2025. This security flaw affects the Keras machine learning library and its implementation in various platforms including Red Hat OpenShift AI (RHOAI) (NVD CVE, Debian Tracker).

The vulnerability exploits a flaw in the Model.loadmodel method through a specially crafted .keras model archive. The attack vector involves creating a malicious config.json file within the .keras archive that calls keras.config.enableunsafe_deserialization() to disable safe mode. Once safe mode is bypassed, attackers can utilize the Lambda layer feature to execute arbitrary Python code via pickled code. The vulnerability has been assigned a CVSS 4.0 Base Score of 8.6 (HIGH) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) (NVD CVE).

The vulnerability allows attackers to achieve arbitrary code execution on affected systems. When successfully exploited, it can lead to complete system compromise, allowing attackers to execute malicious code with the privileges of the application running the Keras model (NVD CVE).

A fix has been implemented through a pull request that restricts deserialization to KerasSaveables by module and name. The patch includes making Operation extend KerasSaveable, removing direct Layer extension of KerasSaveable, and disallowing the public function enableunsafedeserialization (GitHub PR).