| --- |
| license: mit |
| --- |
| |
| # ModelScan .keras Scanner Bypass β PoC Repository |
|
|
| ## Overview |
|
|
| This repository demonstrates that crafted `.keras` model files containing known CVE payloads pass ModelScan v0.8.8 with **zero issues detected**. |
|
|
| ## Primary Finding: TorchModuleWrapper RCE (CVE-2025-49655, CVSS 9.8) |
|
|
| `torchwrapper_rce_model.keras` contains a `TorchModuleWrapper` layer with an embedded pickle RCE payload. On Keras 3.11.0-3.11.2, loading this model executes arbitrary code via `torch.load(weights_only=False)`. |
|
|
| **ModelScan result:** `No issues found! π` |
|
|
| ## Additional Bypasses |
|
|
| | File | Attack | CVE | Scanner Result | |
| |------|--------|-----|---------------| |
| | `torchwrapper_rce_model.keras` | Pickle RCE via TorchModuleWrapper | CVE-2025-49655 (9.8) | **No issues** | |
| | `tfsm_bypass_model.keras` | External SavedModel loading | CVE-2026-1462 | **No issues** | |
| | `stringlookup_bypass_model.keras` | Local file read via vocabulary | CVE-2025-12058 | **No issues** | |
|
|
| ## Reproduction |
|
|
| ```bash |
| pip install keras tensorflow modelscan picklescan |
| |
| # Verify scanner bypass |
| modelscan --path torchwrapper_rce_model.keras |
| # Output: "No issues found! π" |
| |
| picklescan --path torchwrapper_rce_model.keras |
| # Output: "Scanned files: 0 | Infected files: 0" |
| ``` |
|
|
| ## Root Cause |
|
|
| ModelScan's `.keras` scanner (`KerasLambdaDetectScan`) only checks for `class_name == "Lambda"` in config.json. All other known attack patterns pass silently. |
|
|
| ## Environment |
|
|
| - ModelScan 0.8.8 | Picklescan 1.0.4 |
| - Keras 3.12.1 | TensorFlow 2.21.0 |
| - Python 3.10.11 | Windows 10 |
|
|
