[Docs] safe_mode=True does not isolate built-in class names from get_custom_objects() registry

[amadhan882]

Description

The documentation for safe_mode in deserialize_keras_object only states it protects against "unsafe lambda deserialization."

However, the parameter name safe_mode implies broader safety guarantees. Users are not warned that safe_mode=True does NOT isolate built-in class name resolution from the custom object registry. This creates a documentation gap that could mislead developers into assuming stronger protections than exist.

Poc

import keras
from keras.src.saving import serialization_lib

class CustomDense(keras.layers.Layer):
    def __init__(self, **kwargs):
        super().__init__()
        print("CustomDense called instead of real Dense")
    def call(self, x):
        return x

keras.utils.get_custom_objects()["Dense"] = CustomDense

config = {
    "class_name": "Dense",
    "config": {"units": 5, "name": "test"},
    "registered_name": "Dense"
}


serialization_lib.deserialize_keras_object(config, safe_mode=True)

Observed Result

CustomDense called instead of real Dense
<CustomDense name=custom_dense, built=False>

Expected Behavior

safe_mode=True should resolve "Dense" to the built-in keras.layers.Dense, ignoring any custom registry overrides for built-in class names.

Actual Behavior

safe_mode=True silently resolves "Dense" to the custom registry entry, bypassing the built-in class entirely.

Suggested improvement

safe_mode parameter documentation to explicitly state that it only protects against Lambda layer deserialization and does not isolate built-in class names from overrides via keras.utils.get_custom_objects().

[Abineshabee]

Hi, I’d like to work on this issue.

From my understanding, this is a documentation gap where safe_mode in deserialize_keras_object only protects against unsafe Lambda deserialization, but does not prevent overriding built-in class names via get_custom_objects().

I plan to update the docstring in serialization_lib.py to clearly document this behavior and avoid potential confusion for users.

Please let me know if this approach sounds good, and I’ll go ahead and submit a PR shortly. Thanks!

[Abineshabee]

Hi, I looked into serialization_lib.py and found the safe_mode docstring. I'm planning to update it like this:

Before:

safe_mode: Boolean, defaults to `False`. If `True`, disables
    unsafe lambda deserialization.

After:

safe_mode: Boolean, defaults to `False`. If `True`, disables
    unsafe lambda deserialization. Note that this does not isolate
    built-in class name resolution from the custom object registry.
    If a custom object has been registered under the same name as a
    built-in class (e.g., `"Dense"`) via
    `keras.utils.get_custom_objects()`, `safe_mode=True` will still
    resolve to the custom object instead of the built-in class.
    `safe_mode` only protects against Lambda layer deserialization
    and does not provide broader registry isolation.

Does this look good, or would you prefer different wording? I'll go ahead with the PR once you confirm. Thanks!

[amadhan882]

Hi @Abineshabee,

Thanks for the quick response! Your proposed docstring update
looks accurate and covers the limitation clearly. Please go
ahead and submit the PR.

One small suggestion — you could also mention CustomObjectScope
alongside get_custom_objects() for completeness:

`safe_mode=True` does not isolate built-in class name 
resolution from overrides via `keras.utils.get_custom_objects()` 
or `keras.utils.CustomObjectScope()`.

Otherwise the wording is good. Thanks for picking this up!

[amadhan882]

Since this behavior allows for silent redirection of core Keras primitives (like Dense, Activation), maybe we should wrap this note in a .. warning:: block in the Sphinx documentation? This ensures that users scanning the API docs don't miss the fact that their "safe" load still relies on the integrity of their local Python environment's registry.

Example:

.. warning::
    ``safe_mode=True`` only protects against Lambda layer 
    deserialization. It does not isolate built-in class name 
    resolution from ``keras.utils.get_custom_objects()`` or 
    ``keras.utils.CustomObjectScope()``. Built-in class names 
    can still be silently redirected if the custom object 
    registry has been modified.

[Abineshabee]

Hi, Thank you for your response I've updated the docstring based on your suggestions. Here's the final version - please let me know if this looks good before I submit the PR:

safe_mode: Boolean, defaults to `False`. If `True`, disables
    unsafe lambda deserialization. Note that this does not isolate
    built-in class name resolution from the custom object registry.
    If a custom object has been registered under the same name as a
    built-in class (e.g., `"Dense"`) via
    `keras.utils.get_custom_objects()`, `safe_mode=True` will still
    resolve to the custom object instead of the built-in class.
    `safe_mode` only protects against Lambda layer deserialization
    and does not provide broader registry isolation.

    .. warning::
        ``safe_mode=True`` only protects against Lambda layer
        deserialization. It does not isolate built-in class name
        resolution from ``keras.utils.get_custom_objects()`` or
        ``keras.utils.CustomObjectScope()``. Built-in class names
        can still be silently redirected if the custom object
        registry has been modified.

Does this look good? I'll go ahead and submit the PR once confirmed. Thanks!

[amadhan882]

Hi @Abineshabee,

This looks perfect. The docstring update is clear and the
.. warning:: block is exactly what's needed for visibility
in the rendered docs.

Please go ahead and submit the PR. Thanks!

[Abineshabee]

Hi, I've submitted the PR for this issue.
Here is the link: #22469

Thank you for your guidance!

[Abineshabee]

I’ve completed the task assigned to me and all checks for the pull request have passed successfully.

Could you please review and merge the PR, or grant me the necessary permissions if required?

Thank you!

[whitakercaleb09-dev]

Can u explain the use case for this

…

On Sun, Mar 22, 2026, 8:51 PM Abinesh N ***@***.***> wrote: *Abineshabee* left a comment (keras-team/keras#22466) <#22466 (comment)> I’ve completed the task assigned to me and all checks for the pull request have passed successfully. Could you please review and merge the PR, or grant me the necessary permissions if required? Thank you! — Reply to this email directly, view it on GitHub <#22466?email_source=notifications&email_token=B735AJAUWKFGNPJZGOWNCYT4SCKC5A5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJQG42TAMJTGU2KM4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#issuecomment-4107501354>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/B735AJCA74YWQZ4YCFTUPMT4SCKC5AVCNFSM6AAAAACW2ZUW62VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCMBXGUYDCMZVGQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[Abineshabee]

Hi! @whitakercaleb09-dev!

If someone registers a custom class with the same name as a built-in class like Dense via keras.utils.get_custom_objects() , and loads a model with safe_mode=True , Keras will silently use the custom class instead of the real Dense — without any warning.

This fix documents that behavior so users are not misled by the name safe_mode.

[amadhan882]

Hi @whitakercaleb09-dev,

A developer loading a third-party model with safe_mode=True may assume their load is fully sandboxed. However, if any imported library has called keras.utils.get_custom_objects() to override a built-in name like "Dense", that override silently takes effect — even with safe_mode=True active.

This fix ensures users are aware of that limitation.

[hertschuh]

I commented on the PR. For the record, we cannot list the things that safe_mode=True doesn't do, because the list is infinite.

There are a lot things that you can do locally to shoot yourself in the foot that safe_mode=True won't help with.

For example safe_mode=True won't protect you with this either:

from keras import layers
layers.Dense = CustomDense

The general idea is that safe_mode=True is designed to protect you against code serialized in the keras archive and model file. It does not protect you against any change that was done locally. The scope of safe_mode=True is really just the one file you're loading, not "Keras" as a whole.

There is no way to "sandbox keras" as a whole when Python lets you do things like my example above.