Hugging Face's logo

smurly
/
tf1-savedmodel-asset-absolute-path-poc

TF-Keras
security-research
savedmodel
poc
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

TF1 SavedModel AssetFileDef absolute-path PoC

Security research artifact. Not a real model. Gated access for ProtectAI scanner review.

What this is

A TensorFlow SavedModel directory whose saved_model.pb has its meta_graphs[0].asset_file_def[0].filename mutated to /etc/passwd.

Reproduction (Linux):

import tensorflow as tf
    m = tf.saved_model.load("./")
        out = m.read_asset().numpy()
            print(out.decode(errors="replace"))

            Returns the contents of /etc/passwd. Root cause: tensorflow/python/trackable/asset.py::Asset._deserialize_from_proto builds the asset path via os.path.join(assets_dir, attacker_filename). os.path.join drops assets_dir when the second arg is absolute.

            ## Vendor status

            Vendor PR #117695 (2026-05-05) patched only the C++ tfrt loader (StrContains check). The Python loader path is unchanged. C++ tsl::JoinPath strips leading slash, but Python os.path.join does not.

            ## Why gated

            Loading this model on a production host is a security risk. Access granted on request via Manual Review.

            Intended consumers: ProtectAI scanner (protectai-bot) for detection-signature evaluation. Security researchers verifying the AssetFileDef absolute-path class.

            ## Detection signature

            saved_model.pb whose meta_graphs[*].asset_file_def[*].filename starts with slash, a Windows drive letter, or contains .. is a high-confidence indicator. Static scanners should flag on upload.

            If ProtectAI does NOT flag this artifact, that gap is itself reportable.

            ## SHA256

            saved_model.pb  6ecfb931e03ec800bb068790cccde54fa59cc13868e6ad2c45b94838e229ac8c
            fingerprint.pb  36608d667ae9952d52b1f66f5a4d8cddff21382b937e7dd404f900f11e394de9
            variables/variables.data-00000-of-00001  8419f95c8d643e354e458b89b74edeeef90eaf5a9c2731765f6adc09724bb41e
            variables/variables.index  7f6f60759f651b3db3050f15d19f124e683bd4a063833a2a9affa5a3edcdf669

            ## Coordinated disclosure

            90-day embargo from 2026-05-20. Intended channel: huntr.com under researcher handle nahldi. Direct contact via smurly HF profile if scanner gap found.
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support