CVE-2025-8747

HIGH

Keras < 3.10.0 - Insecure Deserialization

Title source: rule

Description

A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive.

References (2)

[Issue Tracking] https://github.com/keras-team/keras/pull/21429

[Third Party Advisory] https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability/

Scores

CVSS v3 7.8

EPSS 0.0001

EPSS Percentile 0.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

keras/keras < 3.10.0

pypi/keras < 3.11.0PyPI

Timeline

Published Aug 11, 2025

Tracked Since Feb 18, 2026