TensorFlow SavedModel PBtxt ModelScan Bypass PoC
Security research PoC for responsible disclosure through Huntr's Model File Vulnerability program.
This repository demonstrates a scanner differential for TensorFlow SavedModel:
- TensorFlow accepts
saved_model.pbandsaved_model.pbtxt. - ModelScan
0.8.8detects unsafe TensorFlow ops insaved_model.pb. - The same graph serialized as
saved_model.pbtxtis skipped as unsupported. tf.saved_model.load()still loads thepbtxtmodel and executes the exported signature.
The payload is benign. The generated model reads /tmp/huntr_savedmodel_pbtxt_secret.txt, returns its contents from the model signature, and writes /tmp/huntr_savedmodel_pbtxt_marker.txt.
Tested Versions
- Python
3.12.13 tensorflow==2.21.0modelscan==0.8.8
Reproduce
python -m venv .venv
. .venv/bin/activate
pip install -r requirements.txt
python reproduce.py
To regenerate the checked-in artifact:
python reproduce.py --keep-artifact artifact
Expected scanner behavior:
binary_savedmodel/: ModelScan reportsReadFileandWriteFile.pbtxt_savedmodel/: ModelScan reports0issues and skipssaved_model.pbtxt.
Expected load behavior:
- TensorFlow loads
pbtxt_savedmodel/. - The model signature returns
codex-local-proof. - The model writes
/tmp/huntr_savedmodel_pbtxt_marker.txt.
Prepared Artifact
The checked-in artifact/ directory contains:
binary_savedmodel/: control model withsaved_model.pb.pbtxt_savedmodel/: bypass model withsaved_model.pbtxtand nosaved_model.pb.
Why This Matters
Pipelines that rely on ModelScan before loading untrusted TensorFlow SavedModels can miss the same unsafe graph when it is represented as TensorFlow's text protobuf variant. The issue is not TensorFlow's support for pbtxt; the issue is treating one canonical loader-accepted representation as outside scanner scope.
- Downloads last month
- -