shiyamganesh/tensorflow-savedmodel-mainop-save-scanner-bypass-poc

TensorFlow SavedModel saved_model_main_op Save/SaveV2 scanner differential PoC

This repository contains PoC files for a TensorFlow SavedModel model-file vulnerability candidate.

Summary

The PoC demonstrates that TensorFlow SavedModel can execute Save and SaveV2 checkpoint-writing operators from saved_model_main_op during model loading through the TensorFlow C API.

The serving output remains benign, but model loading creates files on disk.

The scanner differential is that ModelScan 0.8.8 flags a WriteFile control SavedModel as HIGH risk, while equivalent load-time filesystem-writing Save and SaveV2 main-op SavedModels produce zero issues.

Main PoC files

• tensorflow_savedmodel_save_op_candidate_v5/poc/malicious_save_mainop_savedmodel/saved_model.pb
• tensorflow_savedmodel_save_op_candidate_v5/poc/malicious_savev2_mainop_savedmodel/saved_model.pb
• tensorflow_savedmodel_save_op_candidate_v5/poc/control_writefile_mainop_savedmodel/saved_model.pb

Clean verification logs

• tensorflow_savedmodel_save_op_candidate_v5/logs/clean_tf_capi_load_time_file_write_repro.log
• tensorflow_savedmodel_save_op_candidate_v5/logs/clean_modelscan_save_op_no_issues.json
• tensorflow_savedmodel_save_op_candidate_v5/logs/clean_modelscan_savev2_op_no_issues.json
• tensorflow_savedmodel_save_op_candidate_v5/logs/clean_modelscan_writefile_control_high.json

Clean environment

• Python 3.13.5
• TensorFlow CPU 2.20.0
• ModelScan 0.8.8

Important note

This PoC does not claim arbitrary code execution or TensorFlow memory corruption. It demonstrates a SavedModel scanner/runtime differential and load-time filesystem write via saved_model_main_op.