You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

HDF5 MFV PoC — External Storage / ExternalLink primitives

This repository contains malicious HDF5 model files used as proof of concept for a vulnerability disclosure submitted to huntr's Model File Vulnerabilities program.

The two files here demonstrate that the HDF5 format's H5D_EXTERNAL (External Storage) and H5L_TYPE_EXTERNAL (ExternalLink) primitives accept arbitrary local paths, and that compliant HDF5 readers — including keras.models.load_model and tf.keras.Sequential().load_weights via the ExternalLink chain — resolve those paths against the opener's filesystem at access time.

File	Primitive	What happens on load
`hdf5_demo.h5`	`H5D_EXTERNAL` to `/etc/passwd`	reading `/data` returns the bytes of `/etc/passwd`
`attacker.weights.h5`	`H5L_TYPE_EXTERNAL` to `/home/victim/proprietary_model.weights.h5`	Keras 3.14 / TF 2.21 load the victim's weights despite the CVE-2026-1669 patch

Do not load these files in any environment with sensitive data on disk.

Disclosure status

Submitted to huntr MFV. CVE coordination through huntr Protect AI.

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support