{"id":"CVE-2025-8747","details":"A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive.","aliases":["GHSA-c9rc-mg46-23w3"],"modified":"2026-03-14T12:46:58.895660Z","published":"2025-08-11T08:15:26.507Z","related":["CGA-gx5f-5q53-h674"],"references":[{"type":"ADVISORY","url":"https://jfrog.com/blog/keras-safe_mode-bypass-vulnerability/"},{"type":"REPORT","url":"https://github.com/keras-team/keras/pull/21429"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/keras-team/keras","events":[{"introduced":"9c675a9a45e5e8244163fea82efc6066722608a1"},{"last_affected":"3bedb9a970394879360fcb1c0264f3ffdc634a77"}],"database_specific":{"versions":[{"introduced":"3.0.0"},{"last_affected":"3.10.0"}]}}],"versions":["v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.1.0","v3.1.1","v3.10.0","v3.2.0","v3.2.1","v3.3.0","v3.3.1","v3.3.2","v3.3.3","v3.4.0","v3.4.1","v3.5.0","v3.6.0","v3.7.0","v3.8.0","v3.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-8747.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}