CVE-2025-8747 – A safe mode bypass vulnerability in Keras allow... (How to Fix)

📋 TL;DR

A safe mode bypass vulnerability in Keras allows attackers to execute arbitrary code by tricking users into loading malicious .keras model archives. This affects all users of Keras versions 3.0.0 through 3.10.0 who load untrusted model files.

💻 Affected Systems

Products:

Keras

Versions: 3.0.0 through 3.10.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when loading .keras archives via Model.load_model() method.

📦 What is this software?

Keras by Keras

View all CVEs affecting Keras →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Remote code execution in the context of the user loading the model, allowing attackers to steal credentials, install malware, or pivot to other systems.

🟢

If Mitigated

No impact if safe_mode is properly enforced or only trusted models are loaded.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to load a malicious model file. Public proof-of-concept exists in GitHub PR.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.10.1 and later

Vendor Advisory: https://github.com/keras-team/keras/pull/21429

Restart Required: No

Instructions:

1. Update Keras to version 3.10.1 or later using pip: pip install --upgrade keras>=3.10.1
2. Verify the update with: python -c "import keras; print(keras.__version__)"

🔧 Temporary Workarounds

Enable safe_mode enforcement

all

Force safe_mode=True when loading models to prevent deserialization of untrusted data

Model.load_model('model.keras', safe_mode=True)

Restrict model loading

all

Only load models from trusted sources and validate file integrity before loading

🧯 If You Can't Patch

Implement strict input validation for all model loading operations
Isolate Keras applications in containers or sandboxes to limit blast radius

🔍 How to Verify

Check if Vulnerable:

Check Keras version: python -c "import keras; print(keras.__version__)" - if version is between 3.0.0 and 3.10.0 inclusive, system is vulnerable.

Check Version:

python -c "import keras; print(keras.__version__)"

Verify Fix Applied:

Verify Keras version is 3.10.1 or later: python -c "import keras; print(keras.__version__)"

📡 Detection & Monitoring

Log Indicators:

Unexpected .keras file loads from untrusted sources
Model.load_model() calls with suspicious file paths

Network Indicators:

Downloads of .keras files from untrusted external sources

SIEM Query:

source="application.log" AND "Model.load_model" AND ("safe_mode=False" OR NOT "safe_mode=True")

📊 Metadata

CVE ID: CVE-2025-8747

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.01% exploit probability (1.6th percentile)

Published: August 11, 2025

Last Updated: August 14, 2025

🔗 References

https://github.com/keras-team/keras/pull/21429 Issue Tracking
https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability/ Third Party Advisory
https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8747, you might also want to check these: