High severityNVD Advisory· Published Aug 11, 2025· Updated Feb 26, 2026
Keras safe_mode bypass allows arbitrary code execution when loading a malicious model.
CVE-2025-8747
Description
A safe mode bypass vulnerability in the Model.load_model method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted .keras model archive.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kerasPyPI | >= 3.0.0, < 3.11.0 | 3.11.0 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/tensorflow-cpu-jupyterpkg:apk/chainguard/tensorflow-gpu-jupyterpkg:apk/wolfi/tensorflow-cpu-jupyterpkg:pypi/keras
< 2.19.0-r7+ 3 more
- (no CPE)range: < 2.19.0-r7
- (no CPE)range: < 2.19.0-r6
- (no CPE)range: < 2.19.0-r7
- (no CPE)range: >= 3.0.0, < 3.11.0
- Google/Kerasv5Range: 3.0.0
Patches
Vulnerability mechanics
References
8- github.com/keras-team/keras/pull/21429ghsapatchWEB
- github.com/advisories/GHSA-c9rc-mg46-23w3ghsaADVISORY
- jfrog.com/blog/keras-safe_mode-bypass-vulnerability/mitrethird-party-advisory
- nvd.nist.gov/vuln/detail/CVE-2025-8747ghsaADVISORY
- github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858ghsaWEB
- github.com/keras-team/keras/security/advisories/GHSA-c9rc-mg46-23w3ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-75.yamlghsaWEB
- jfrog.com/blog/keras-safe_mode-bypass-vulnerabilityghsaWEB
News mentions
0No linked articles in our index yet.