Benign PoC β€” modelscan TF SavedModel op-denylist bypass (PrintV2)

Coordinated-disclosure proof-of-concept submitted to Protect AI via huntr (Model File Vulnerability).

saved_model.pb is a TensorFlow SavedModel graph containing a PrintV2 node with output_stream="file://<path>" β€” an arbitrary-file-write operator that modelscan does not flag (modelscan's unsafe_tf_operators denylist is only {ReadFile, WriteFile}).

Reproduce

pip install tensorflow modelscan
modelscan -p saved_model.pb        # -> "No issues found"  (the bypass)

A control SavedModel that uses the denylisted WriteFile op is flagged HIGH by modelscan, proving the scanner works but misses PrintV2. Corroboration: TensorFlow's own saved_model_cli.py denylists PrintV2 (_OP_DENYLIST = {'WriteFile','ReadFile','PrintV2'}) β€” modelscan is a strict subset.

Strictly benign: when executed, the graph only writes a harmless marker string (CELVEX-MFV-MARKER) to a temp file. No weaponization. Confirmed against released modelscan 0.8.8.

Downloads last month
15
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support