On the (In)Security of Loading Machine Learning Models We identified six zero-day vulnerabilities, including the first CVEs ever assigned to Keras safe_mode. Our results show that loading a machine learning model can be equivalent to executing untrusted code, despite the security claims often present in framework and hub documentation. We also show that Hugging Face’s integrated scanners do not always provide an effective additional line of defense against framework-level exploits. Finally, through a survey of machine learning practitioners, we show that security claims in framework and hub documentation can create misplaced trust. For example, over 90% of non-security ML practitioners perceived no risk of arbitrary code execution when safe_mode=True. Source: arxiv.org/pdf/2509.06703 #MLSecurity #AISecurity #ModelSecurity #MachineLearning #SecureAI #ModelSupplyChain #ModelLoading #ArbitraryCodeExecution #SoftwareSecurity #CyberSecurity #AIVulnerabilities #ModelHubSecurity #SecureML #AIAttackSurface #IEEEsp #SecurityResearch