YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
hls4ml HDF5 model loader arbitrary file read β proof of concept
hls4ml (PyPI 1.3.0) converts Keras .h5 models to FPGA firmware. Its KerasFileReader opens the model with raw h5py and reads weight datasets without rejecting HDF5 external-storage datasets, external links, or virtual datasets. A malicious .h5 whose weight dataset uses external storage makes the loader open and read an arbitrary host file and return its bytes as weight data.
Keras added a guard for this exact primitive (rejects dataset.external / virtual datasets in saving_lib.py) and received CVE-2026-1669 / CVE-2025-9905. hls4ml, a separate consumer of the same format, has none.
Files
poc.pyβ self contained proof. Builds a malicious .h5 with an external-storage weight dataset, then loads it with hls4ml's realKerasFileReaderand shows an out-of-model secret and/etc/passwdreturned as weight data.malicious.h5β a sample model whose weight dataset points at/etc/passwd.log.txtβ a captured run.
Run
pip install hls4ml
python3 poc.py
Impact
A pipeline that converts user supplied .h5 models with hls4ml (model hub, shared conversion server, CI) discloses arbitrary local files to an attacker. The bytes are returned directly as weights, so the read is clean rather than blind, and a full conversion bakes them into the generated firmware. Unauthenticated, runs with the converting process privileges.
Fix
Reject external-storage datasets, external links, and virtual datasets before reading, mirroring the Keras saving_lib guard, or set an external file prefix that confines references to the model directory.