Instructions to use Moriz82/rwkv-keras-rce-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- Keras
How to use Moriz82/rwkv-keras-rce-poc with Keras:
# Available backend options are: "jax", "torch", "tensorflow". import os os.environ["KERAS_BACKEND"] = "jax" import keras model = keras.saving.load_model("hf://Moriz82/rwkv-keras-rce-poc") - Notebooks
- Google Colab
- Kaggle
huntr MFV PoC β keras-hub RWKVTokenizer eval RCE
Do not load evil.keras outside an isolated VM / container.
Loading this .keras file via keras.saving.load_model() with the default
safe_mode=True executes arbitrary Python code through an eval() call in
keras_hub.models.RWKVTokenizer.
Vuln summary
- Repo affected:
keras-team/keras-hub - File:
keras_hub/src/models/rwkv7/rwkv7_tokenizer.py - Sinks:
RWKVTokenizerBase.__init__line 117,RWKVTokenizer.set_vocabularyline 280 β both calleval()on attacker-controlled vocabulary lines - Reachability: the class is a
KerasSaveablesubclass inkeras_hub, so the post-CVE-2025-1550 module allowlist inkeras.src.saving.serialization_lib._retrieve_class_or_fnpermits it to be instantiated from a malicious.kerasarchive. - Bypasses:
safe_mode=True(default) β noin_safe_mode()check in either path.
Payload behavior
Writes rce_proof.txt to the OS temp directory with pid, user, host, OS,
arch, Python version, executable, and cwd. Cross-platform (Linux/macOS/Windows).
No shell is used β payload is pure Python stdlib inside the eval sink.
load_model() returns silently; no warnings, no exceptions.
Reproduce
import keras
keras.saving.load_model("evil.keras") # default safe_mode=True β RCE
File
evil.kerasβ 882 bytes
Submitted to huntr MFV program.
- Downloads last month
- -
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support