CVE-2025-9906: 
Python vulnerability analysis and mitigation

The Keras Model.loadmodel method contains a critical vulnerability (CVE-2025-9906) that allows arbitrary code execution, even with safemode enabled. This vulnerability affects Keras versions from 3.0.0 up to (excluding) 3.11.0. The vulnerability was discovered and disclosed on September 19, 2025 (NVD).

The vulnerability exploits the Model.loadmodel method through a specially crafted .keras model archive. The attack involves creating a malicious config.json file within the .keras archive that invokes keras.config.enableunsafe_deserialization() to disable safe mode. Once safe mode is disabled, the attacker can utilize the Lambda layer feature to execute arbitrary Python code via pickled code. The vulnerability has a CVSS v3.1 base score of 7.3 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to execute arbitrary code on the target system, potentially leading to complete system compromise. This poses significant risks to data confidentiality, integrity, and system availability. The vulnerability is particularly concerning as it bypasses the intended security measures of safe_mode (NVD).

A fix has been implemented through a pull request that restricts deserialization to KerasSaveables by module and name. The changes include making Operation extend KerasSaveable, modifying Layer's inheritance structure, and disallowing the public function enableunsafedeserialization (GitHub PR).