Infinite Loop Denial of Service via Circular Dependencies in Functional Model Deserialization

Description A vulnerability in keras.src.models.functional.functionalfromconfig allows a Denial of Service DoS attack via an infinite loop. When reconstructing a Functional model from a configuration e.g., via keras.models.loadmodel, the deserialization logic fails to detect or break out of...

CVE-2025-12058 Vulnerability in Keras Model.load_model Leading to Arbitrary Local File Loading and SSRF

The Keras.Model.loadmodel method, including when executed with the intended security mitigation safemode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery SSRF. This vulnerability stems from the way the StringLookup layer is handled during model loading from a...

EUVD-2025-30279

Malicious code in bioql PyPI...

EUVD-2025-24127

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-9905

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Keras Model.loadmodel method can be exploited to achieve arbitrary code execution, even with safemode=True. One can create a specially crafted .h5/.hdf5 mod...

Arbitary Code execution in Keras load_model()

...

GHSA-36FQ-JGMW-4R9C Keras is vulnerable to Deserialization of Untrusted Data

Arbitrary Code Execution in Keras Keras versions prior to 3.11.0 allow for arbitrary code execution when loading a crafted .keras model archive, even when safemode=True. The issue arises because the archive’s config.json is parsed before layer deserialization. This can invoke...

Keras is vulnerable to Deserialization of Untrusted Data

Arbitrary Code Execution in Keras Keras versions prior to 3.11.0 allow for arbitrary code execution when loading a crafted .keras model archive, even when safemode=True. The issue arises because the archive’s config.json is parsed before layer deserialization. This can invoke...

CVE-2025-9906

The Keras Model.loadmodel method can be exploited to achieve arbitrary code execution, even with safemode=True. One can create a specially crafted .keras model archive that, when loaded via Model.loadmodel, will trigger arbitrary code to be executed. This is achieved by crafting a special...

PYSEC-2025-76

The Keras Model.loadmodelmethod can be exploited to achieve arbitrary code execution, even with safemode=True.One can create a specially crafted .kerasmodel archive that, when loaded via Model.loadmodel, will trigger arbitrary code to be executed. This is achieved by crafting a special config.jso...

UBUNTU-CVE-2025-9905

The Keras Model.loadmodel method can be exploited to achieve arbitrary code execution, even with safemode=True. One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.loadmodel, will trigger arbitrary code to be executed. This is achieved by crafting a special...

CVE-2025-9905 Arbitary Code execution in Keras load_model()

The Keras Model.loadmodel method can be exploited to achieve arbitrary code execution, even with safemode=True. One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.loadmodel, will trigger arbitrary code to be executed. This is achieved by crafting a special...

Linux Distros Unpatched Vulnerability : CVE-2025-1550

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Keras Model.loadmodel function permits arbitrary code execution, even with safemode=True, through a manually constructed, malicious .keras archive. By...

Linux Distros Unpatched Vulnerability : CVE-2025-8747

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A safe mode bypass vulnerability in the Model.loadmodel method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by...

CVE-2025-8747

CVE-2025-8747 corresponds to a safe-mode bypass in Keras Model.load_model, allowing arbitrary code execution by loading a crafted .keras archive. Connected IBM bulletins confirm the vulnerability affects Keras 3.0.0–3.10.0 and describe a bypass via manipulated config.json or inner Lambda mechanis...