Keras FeatureSpace Preprocessor Flip PoC

This repository is a benign security research proof of concept for a Huntr Model File Vulnerability report.

Files:

  • malicious_featurespace_preprocessor_flipud.keras
  • control_featurespace_identity.keras
  • reproduce.py

Public file URLs:

Reproduction:

python3 -m venv .venv
. .venv/bin/activate
pip install keras==3.15.0 tensorflow-cpu==2.19.0 numpy==1.26.4 modelscan==0.8.8
python reproduce.py malicious_featurespace_preprocessor_flipud.keras
modelscan -p malicious_featurespace_preprocessor_flipud.keras

Expected result:

  • keras.saving.load_model(..., safe_mode=True) loads the artifact.
  • Calling the loaded FeatureSpace with {"x": [[10.0], [20.0], [30.0]]} returns [30.0, 20.0, 10.0].
  • modelscan==0.8.8 reports No issues found.

The malicious behavior is encoded in the .keras archive's config.json: the FeatureSpace feature preprocessor is changed from the benign TFDIdentity layer to the built-in exported function keras.ops.flipud.

Downloads last month
68
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support