CVE-2025-9905: The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One c
highvulnerability
security
Summary
A vulnerability exists in Keras' Model.load_model method where specially crafted .h5 or .hdf5 model files (archive formats that store trained AI models) can execute arbitrary code on a system, even when safe_mode is enabled to prevent this. The attack works by embedding malicious pickled code (serialized Python code) in a Lambda layer, a Keras feature that allows custom Python functions, which bypasses the intended security protection.
Vulnerability Details
CVSS Score
7.3(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Model Theft
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Taxonomy References
CWE (Weakness Type)
Affected Vendors
HuggingFace
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-9905
First tracked: February 15, 2026 at 08:42 PM
Classified by LLM (prompt v3) · confidence: 92%