metadata
license: mit
ModelScan .keras Scanner Bypass — PoC Repository
Overview
This repository demonstrates that crafted .keras model files containing known CVE payloads pass ModelScan v0.8.8 with zero issues detected.
Primary Finding: TorchModuleWrapper RCE (CVE-2025-49655, CVSS 9.8)
torchwrapper_rce_model.keras contains a TorchModuleWrapper layer with an embedded pickle RCE payload. On Keras 3.11.0-3.11.2, loading this model executes arbitrary code via torch.load(weights_only=False).
ModelScan result: No issues found! 🎉
Additional Bypasses
| File | Attack | CVE | Scanner Result |
|---|---|---|---|
torchwrapper_rce_model.keras |
Pickle RCE via TorchModuleWrapper | CVE-2025-49655 (9.8) | No issues |
tfsm_bypass_model.keras |
External SavedModel loading | CVE-2026-1462 | No issues |
stringlookup_bypass_model.keras |
Local file read via vocabulary | CVE-2025-12058 | No issues |
Reproduction
pip install keras tensorflow modelscan picklescan
# Verify scanner bypass
modelscan --path torchwrapper_rce_model.keras
# Output: "No issues found! 🎉"
picklescan --path torchwrapper_rce_model.keras
# Output: "Scanned files: 0 | Infected files: 0"
Root Cause
ModelScan's .keras scanner (KerasLambdaDetectScan) only checks for class_name == "Lambda" in config.json. All other known attack patterns pass silently.
Environment
- ModelScan 0.8.8 | Picklescan 1.0.4
- Keras 3.12.1 | TensorFlow 2.21.0
- Python 3.10.11 | Windows 10