You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

huntr MFV PoC β€” keras-hub RWKVTokenizer eval RCE

Do not load evil.keras outside an isolated VM / container.

Loading this .keras file via keras.saving.load_model() with the default safe_mode=True executes arbitrary Python code through an eval() call in keras_hub.models.RWKVTokenizer.

Vuln summary

  • Repo affected: keras-team/keras-hub
  • File: keras_hub/src/models/rwkv7/rwkv7_tokenizer.py
  • Sinks: RWKVTokenizerBase.__init__ line 117, RWKVTokenizer.set_vocabulary line 280 β€” both call eval() on attacker-controlled vocabulary lines
  • Reachability: the class is a KerasSaveable subclass in keras_hub, so the post-CVE-2025-1550 module allowlist in keras.src.saving.serialization_lib._retrieve_class_or_fn permits it to be instantiated from a malicious .keras archive.
  • Bypasses: safe_mode=True (default) β€” no in_safe_mode() check in either path.

Payload behavior

Writes rce_proof.txt to the OS temp directory with pid, user, host, OS, arch, Python version, executable, and cwd. Cross-platform (Linux/macOS/Windows).

No shell is used β€” payload is pure Python stdlib inside the eval sink. load_model() returns silently; no warnings, no exceptions.

Reproduce

import keras
keras.saving.load_model("evil.keras")  # default safe_mode=True β†’ RCE

File

  • evil.keras β€” 882 bytes

Submitted to huntr MFV program.

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support