Hugging Face's logo

Kernelwraith
/
keras-native-zip-expansion-poc-20260521

Keras
security
proof-of-concept
model-file-format
gated-poc
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

Keras Native .keras ZIP Expansion PoC

This repository is a gated proof-of-concept for a security report submitted through Huntr's model file format bounty process.

Purpose

The PoC demonstrates that Keras Native .keras model loading can extract a compressed, unrequested archive asset to disk while loading with safe_mode=True.

Tested Target

  • Project: keras-team/keras
  • Version observed by PoC: 3.15.0
  • Commit: 0172a2f5e42e227c120c65da5daef3ebbfaaf06d
  • Backend used for the local proof: numpy

Files

  • keras_native_zip_expansion_poc.keras: generated local PoC model file.
  • poc_keras_native_zip_expansion_dos.py: local-only reproduction script.
  • local_reproduction_output_20260521.json: proof output from a local run.

Local Reproduction 

KERAS_BACKEND=numpy python poc_keras_native_zip_expansion_dos.py --payload-mib 64

Expected markers:

"safe_mode": true
"added_asset_uncompressed_size_bytes": 67108864
"relative_path": "assets/unrequested_padding.bin"
"finding": "REPRODUCED_KERAS_NATIVE_LOAD_MODEL_EXTRACTS_UNREQUESTED_COMPRESSED_ASSET"

Boundary

This is a local-only proof. It does not contact Keras, Huntr, Hugging Face services during execution, cloud services, production systems, or external targets.

Access should remain gated and granted only to the reviewing party requested by Huntr.

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support