CVE-2025-8747 is a deserialization vulnerability classified under CWE-502 that affects the Model.load_model method in Google Keras versions 3.0.0 through 3.10.0. The vulnerability arises because the method does not adequately enforce safe mode restrictions when loading .keras model archives, allowing attackers to embed malicious payloads within these archives. When a user loads such a crafted model, the deserialization process executes attacker-controlled code, leading to arbitrary code execution on the host system. The vulnerability requires the attacker to convince a user to load a malicious model file, implying user interaction is necessary. The CVSS 4.0 base score is 8.6 (high severity), reflecting the vulnerability's potential for significant impact on confidentiality, integrity, and availability, despite requiring low privileges and user interaction. This flaw is particularly critical given Keras's widespread use in machine learning workflows across academia and industry, where models are frequently shared and deployed. No patches or known exploits are currently available, but the risk remains substantial due to the ease of embedding malicious code in model files and the potential for attackers to compromise systems running vulnerable Keras versions.

The impact of CVE-2025-8747 is substantial for organizations using Keras for machine learning model development and deployment. Successful exploitation enables arbitrary code execution, which can lead to full system compromise, data theft, or disruption of machine learning services. This threatens the confidentiality of sensitive data processed by ML models, the integrity of model outputs, and the availability of AI-driven applications. Organizations relying on automated model loading or sharing models across teams or with external partners are particularly vulnerable. The attack vector requires user interaction but can be executed with low privileges, increasing the likelihood of exploitation in environments where users may inadvertently load untrusted models. The vulnerability could also be leveraged in supply chain attacks targeting AI workflows, amplifying its impact. Given the growing reliance on AI and ML in critical sectors such as finance, healthcare, and autonomous systems, the potential damage from exploitation is significant and could disrupt business operations and erode trust in AI systems.

To mitigate CVE-2025-8747, organizations should implement strict controls on the sources of .keras model files, ensuring only trusted and verified models are loaded. Employing digital signatures or cryptographic hashes to validate model integrity before loading can prevent malicious models from being accepted. Users should be trained to recognize the risks of loading models from untrusted sources and to avoid executing unverified code embedded in model files. Until official patches are released, consider isolating environments where models are loaded, such as using containerization or sandboxing techniques, to limit the impact of potential exploitation. Monitoring and logging model loading activities can help detect suspicious behavior. Additionally, organizations should track updates from Google and apply security patches promptly once available. Reviewing and restricting permissions of users who load models can reduce the attack surface. Finally, integrating security reviews into the ML model lifecycle, including code and artifact audits, can help identify and mitigate risks early.