Hugging Face's logo

fsabiu
/
keras-modelscan-torchmodulewrapper-coverage-gap

Keras
Model card Files
xet
 Community
fsabiu commited on
Commit
496e58e
·
verified ·
1 Parent(s): bbed87f

Add Keras ModelScan coverage validation artifacts

Browse files
Files changed (8) hide show
  1. HUNTR_FORM.md +40 -0
  2. README.md +30 -0
  3. SHA256SUMS.txt +6 -0
  4. benign_lambda.keras +0 -0
  5. benign_torch_module.keras +0 -0
  6. detector-summary.md +21 -0
  7. modelscan-benign_lambda.json +1 -0
  8. modelscan-benign_torch_module.json +1 -0
HUNTR_FORM.md ADDED
@@ -0,0 +1,40 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ # Huntr Form Copy
2
+
3
+ ## Target
4
+
5
+ Keras Native (`.keras`)
6
+
7
+ ## Title
8
+
9
+ ModelScan Keras V3 scanner misses `TorchModuleWrapper` unsafe deserialization surface in `.keras` files
10
+
11
+ ## Hugging Face PoC
12
+
13
+ TBD after uploading this directory to a public Hugging Face repository.
14
+
15
+ Recommended repo name:
16
+
17
+ ```text
18
+ keras-modelscan-torchmodulewrapper-coverage-gap
19
+ ```
20
+
21
+ ## Description
22
+
23
+ Use the full local draft:
24
+
25
+ ```text
26
+ 01-mfv-model-file-vulnerabilities/report-drafts/F-MFV-001-modelscan-torchmodulewrapper-gap.md
27
+ ```
28
+
29
+ ## Short Impact Statement
30
+
31
+ ModelScan 0.8.8 returns a clean scan for a Keras V3 `.keras` file containing `TorchModuleWrapper`, while Keras 3.14.0 blocks the same class in `safe_mode=True` because it can deserialize a `torch.nn.Module` through `torch.load()`. The same ModelScan setup correctly flags a benign Lambda positive control, so this is a targeted scanner coverage gap rather than a broken scanner installation.
32
+
33
+ ## Upload Checklist
34
+
35
+ - [ ] Upload all files in this directory to a public Hugging Face repo.
36
+ - [ ] Confirm Hugging Face SHA256 matches `SHA256SUMS.txt`.
37
+ - [ ] Paste repo URL into the Huntr form.
38
+ - [ ] Submit as scanner coverage gap / scanner bypass.
39
+ - [ ] Do not present as a new Keras runtime RCE.
40
+
README.md ADDED
@@ -0,0 +1,30 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ # Keras ModelScan Coverage Validation Artifacts
2
+
3
+ This repository contains benign Keras V3 `.keras` files for validating scanner behavior.
4
+
5
+ ## Files
6
+
7
+ - `benign_torch_module.keras`: benign Keras model containing `TorchModuleWrapper`.
8
+ - `benign_lambda.keras`: benign Keras model containing a `Lambda` layer as a positive scanner control.
9
+ - `modelscan-benign_torch_module.json`: ModelScan 0.8.8 JSON output for `benign_torch_module.keras`.
10
+ - `modelscan-benign_lambda.json`: ModelScan 0.8.8 JSON output for `benign_lambda.keras`.
11
+ - `detector-summary.md`: local static detector comparison summary.
12
+
13
+ ## Reproduce
14
+
15
+ ```sh
16
+ python3 -m venv .venv
17
+ .venv/bin/python -m pip install 'keras==3.14.0' torch h5py
18
+ .venv/bin/python -m pip install 'modelscan==0.8.8' 'modelscan[tensorflow]==0.8.8'
19
+
20
+ .venv/bin/modelscan scan -p benign_lambda.keras -r json
21
+ .venv/bin/modelscan scan -p benign_torch_module.keras -r json
22
+ ```
23
+
24
+ Expected result:
25
+
26
+ - `benign_lambda.keras`: ModelScan reports one Medium Lambda issue.
27
+ - `benign_torch_module.keras`: ModelScan reports zero issues.
28
+
29
+ The files are benign and are provided only for scanner validation.
30
+
SHA256SUMS.txt ADDED
@@ -0,0 +1,6 @@
 
 
 
 
 
 
 
1
+ 2de4c52412aa2049436cbafddee0f0c5db049369078b83d81748a8f0a184c819 README.md
2
+ 67d5c8c63d4210270104c97914d3d1b9642998382ea272e685d5ba1aeda9c978 benign_lambda.keras
3
+ efe7c5974401e3615f483797fbd276c4bb76d921949ef35655e574cd1ae0c5e1 benign_torch_module.keras
4
+ 263c2b2916319b0ac32787618e758b22e1a5ece794be44e7b4c6b09f27822d91 detector-summary.md
5
+ c5c044397e76b3abdbbb5fbb87a1f5ce026e4825481f756c33f676b8c6ffc019 modelscan-benign_lambda.json
6
+ 847d96c91184907462427a5fdd93ed5802729fbcd0c60cd384ffa2a19039f364 modelscan-benign_torch_module.json
benign_lambda.keras ADDED
Binary file (10.6 kB). View file
 
benign_torch_module.keras ADDED
Binary file (16.5 kB). View file
 
detector-summary.md ADDED
@@ -0,0 +1,21 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ # EXP-MFV-20260502-002 Summary
2
+
3
+ | File | Detector findings | ModelScan issues | Gap |
4
+ | --- | ---: | ---: | --- |
5
+ | `benign_dense.keras` | `0` | `0` | `no` |
6
+ | `benign_external_vocab_lookup.keras` | `0` | `0` | `no` |
7
+ | `benign_functional.keras` | `0` | `0` | `no` |
8
+ | `benign_lambda.keras` | `2` | `1` | `no` |
9
+ | `benign_registered_custom.keras` | `0` | `0` | `no` |
10
+ | `benign_torch_module.keras` | `1` | `0` | `yes` |
11
+
12
+ ## Detector Findings
13
+
14
+ ### `benign_lambda.keras`
15
+
16
+ - `unsafe_class` at `$.config.layers[1]`: Lambda layer may deserialize Python functions/lambdas.
17
+ - `serialized_lambda` at `$.config.layers[1].config.function`: Serialized Python lambda object.
18
+
19
+ ### `benign_torch_module.keras`
20
+
21
+ - `unsafe_class` at `$.config.layers[1]`: TorchModuleWrapper may deserialize torch.nn.Module via torch.load().
modelscan-benign_lambda.json ADDED
@@ -0,0 +1 @@
 
 
1
+ {"summary": {"total_issues_by_severity": {"LOW": 0, "MEDIUM": 1, "HIGH": 0, "CRITICAL": 0}, "total_issues": 1, "input_path": "01-mfv-model-file-vulnerabilities/evidence/EXP-MFV-20260502-001/models/benign_lambda.keras", "absolute_path": "/Users/fsabiu/Documents/Bounty/01-mfv-model-file-vulnerabilities/evidence/EXP-MFV-20260502-001/models", "modelscan_version": "0.8.8", "timestamp": "2026-05-02T11:00:30.051183", "scanned": {"total_scanned": 1, "scanned_files": ["benign_lambda.keras"]}, "skipped": {"total_skipped": 3, "skipped_files": [{"category": "SCAN_NOT_SUPPORTED", "description": "Model Scan did not scan file", "source": "benign_lambda.keras:metadata.json"}, {"category": "SCAN_NOT_SUPPORTED", "description": "Model Scan did not scan file", "source": "benign_lambda.keras:config.json"}, {"category": "MODEL_CONFIG", "description": "Model Config not found", "source": "benign_lambda.keras:model.weights.h5"}]}}, "issues": [{"description": "Use of unsafe operator 'Lambda' from module 'Keras'", "operator": "Lambda", "module": "Keras", "source": "benign_lambda.keras:config.json", "scanner": "modelscan.scanners.KerasLambdaDetectScan", "severity": "MEDIUM"}], "errors": []}
modelscan-benign_torch_module.json ADDED
@@ -0,0 +1 @@
 
 
1
+ {"summary": {"total_issues_by_severity": {"LOW": 0, "MEDIUM": 0, "HIGH": 0, "CRITICAL": 0}, "total_issues": 0, "input_path": "01-mfv-model-file-vulnerabilities/evidence/EXP-MFV-20260502-001/models/benign_torch_module.keras", "absolute_path": "/Users/fsabiu/Documents/Bounty/01-mfv-model-file-vulnerabilities/evidence/EXP-MFV-20260502-001/models", "modelscan_version": "0.8.8", "timestamp": "2026-05-02T11:00:34.901055", "scanned": {"total_scanned": 1, "scanned_files": ["benign_torch_module.keras"]}, "skipped": {"total_skipped": 3, "skipped_files": [{"category": "SCAN_NOT_SUPPORTED", "description": "Model Scan did not scan file", "source": "benign_torch_module.keras:metadata.json"}, {"category": "SCAN_NOT_SUPPORTED", "description": "Model Scan did not scan file", "source": "benign_torch_module.keras:config.json"}, {"category": "MODEL_CONFIG", "description": "Model Config not found", "source": "benign_torch_module.keras:model.weights.h5"}]}}, "issues": [], "errors": []}