CVE-2025-9905 is a high-severity vulnerability affecting Keras version 3.0.0, specifically targeting the Model.load_model method when loading legacy .h5/.hdf5 model files. The vulnerability arises because the safe_mode=True parameter, intended to restrict unsafe operations during model loading, is not properly enforced when processing these legacy HDF5 archives. Attackers can craft malicious .h5 files that exploit the Lambda layer feature in Keras, which allows embedding arbitrary Python code via pickled objects. When such a malicious model is loaded, the embedded pickled code executes, leading to arbitrary code execution within the context of the loading process. This flaw is categorized under CWE-913 (Improper Control of Dynamically-Managed Code Resources), highlighting the failure to securely manage dynamically loaded code resources. Although the vulnerability requires local access to load a malicious model file (attack vector: local), it demands high attack complexity and privileges (low privileges but some user interaction is needed). The CVSS 4.0 score of 7.3 reflects a high severity due to the potential for full compromise of the host system's confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the risk remains significant given the widespread use of Keras in machine learning workflows and the ease with which malicious models can be distributed or introduced into supply chains. The vulnerability is particularly relevant for environments that still rely on legacy .h5 model formats rather than the newer, safer formats supported by Keras 3.

For European organizations, the impact of this vulnerability can be substantial, especially for those heavily invested in AI and machine learning workflows using Keras. Arbitrary code execution can lead to full system compromise, data theft, sabotage of AI models, or lateral movement within networks. Organizations in sectors such as finance, healthcare, automotive, and critical infrastructure that use Keras for predictive analytics, diagnostics, or autonomous systems are at heightened risk. The vulnerability could be exploited to implant backdoors, exfiltrate sensitive data, or disrupt AI-driven operations. Given the reliance on legacy .h5 models in some environments, the threat extends to organizations that have not fully migrated to newer model formats or have legacy systems integrated into their AI pipelines. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, especially in scenarios involving insider threats, compromised developer machines, or supply chain attacks where malicious models are introduced into trusted repositories or CI/CD pipelines.

European organizations should immediately audit their use of Keras, identifying any reliance on the legacy .h5/.hdf5 model format. Transitioning to the newer model formats supported by Keras 3, which do not exhibit this vulnerability, is strongly recommended. Until migration is complete, organizations should implement strict controls on model file provenance, including cryptographic signing and verification of model files before loading. Restricting access to model loading functions to trusted users and environments, and employing sandboxing or containerization to isolate model loading processes, can reduce risk. Additionally, monitoring and logging model loading activities for anomalies can help detect exploitation attempts. Organizations should also update their incident response plans to include scenarios involving malicious AI model files. Since no patch is currently available, these compensating controls are critical. Finally, educating developers and data scientists about the risks of loading untrusted models and enforcing strict code review and model validation policies will help mitigate exploitation vectors.