CVE-2025-8747 is a high-severity vulnerability affecting Google Keras versions 3.0.0 through 3.10.0, specifically in the `Model.load_model` method. This vulnerability is categorized under CWE-502, which involves deserialization of untrusted data. The core issue is a safe mode bypass that allows an attacker to execute arbitrary code by tricking a user into loading a maliciously crafted `.keras` model archive. The deserialization process in Keras's model loading functionality does not adequately validate or sanitize the contents of the model archive, enabling exploitation. When a user loads such a crafted model, the deserialization process can execute embedded malicious payloads, leading to arbitrary code execution within the context of the user running the Keras environment. The CVSS 4.0 base score of 8.6 reflects the high impact and exploitability of this vulnerability, with a vector indicating local attack with low complexity, no attacker privileges required, but user interaction is necessary. The vulnerability impacts confidentiality, integrity, and availability, as arbitrary code execution can lead to data theft, manipulation, or system compromise. No known exploits are currently reported in the wild, and no official patches have been linked yet, indicating that mitigation relies on cautious handling of model files and potential workarounds until a fix is released.

For European organizations, this vulnerability poses significant risks, especially for entities relying on machine learning workflows that incorporate Keras for model development, deployment, or inference. Sectors such as finance, healthcare, automotive, and research institutions frequently use Keras for AI and ML applications. An attacker exploiting this vulnerability could execute arbitrary code on systems running vulnerable Keras versions, potentially leading to data breaches, intellectual property theft, disruption of AI services, or lateral movement within networks. Given the widespread adoption of Python and Keras in European academia and industry, the threat could affect both production environments and development pipelines. The requirement for user interaction (loading a malicious model) suggests that social engineering or supply chain attacks (e.g., tampered model files shared via collaboration platforms) are likely attack vectors. The impact is heightened in environments where model files are shared across teams or downloaded from untrusted sources without verification. Additionally, the compromise of AI models can undermine trust in automated decision-making systems, which is critical in regulated sectors prevalent in Europe.

European organizations should implement several specific mitigations: 1) Enforce strict validation and integrity checks on all `.keras` model files before loading, including cryptographic signatures or hashes from trusted sources. 2) Restrict the use of `Model.load_model` to only trusted and verified model files, avoiding loading models from untrusted or unknown origins. 3) Employ sandboxing or containerization techniques when loading models to limit the potential impact of arbitrary code execution. 4) Monitor and audit model loading activities and related system calls to detect anomalous behavior indicative of exploitation attempts. 5) Educate data scientists and developers about the risks of loading untrusted models and encourage secure collaboration practices. 6) Track updates from Google and apply patches promptly once available. 7) Consider alternative model serialization formats or loading mechanisms that do not rely on vulnerable deserialization processes. 8) Implement network segmentation and least privilege principles to contain potential breaches resulting from exploitation.