Hugging Face's logo

VincHmann
/
keras-rwkv-tokenizer-eval-poc

Keras
security
proof-of-concept
Model card Files
xet
 Community
VincHmann commited on
Commit
56cc1c8
·
verified ·
1 Parent(s): 697167d

Fix: replace non-ASCII dashes with ASCII to prevent encoding issues

Browse files
Files changed (1) hide show
  1. README.md +7 -7
README.md CHANGED
@@ -5,16 +5,16 @@ tags:
5
  - proof-of-concept
6
  ---
7
 
8
- # PoC: RWKVTokenizer eval() Arbitrary Code Execution via `.keras` Model File
9
 
10
  **Vulnerability:** `eval()` on attacker-controlled vocabulary in `keras_hub.models.RWKVTokenizer`
11
- **Affected:** keras-hub 0.26.0 0.28.0 | keras 3.9.0 3.12.1
12
  **CWE:** CWE-95 (Eval Injection)
13
  **Bypasses:** `safe_mode=True` (keras default)
14
 
15
  ## What this repo contains
16
 
17
- `malicious_rwkv_tokenizer.keras` a crafted `.keras` model archive.
18
  When loaded with `keras.models.load_model()`, the `vocabulary` field in `config.json`
19
  reaches `eval()` inside `RWKVTokenizerBase.__init__` (line 117) and
20
  `RWKVTokenizer.set_vocabulary` (line 275) in `rwkv7_tokenizer.py`.
@@ -33,11 +33,11 @@ import keras
33
  import keras_hub # required: registers keras_hub>RWKVTokenizer in Keras object registry
34
 
35
  model = keras.models.load_model("malicious_rwkv_tokenizer.keras", safe_mode=True)
36
- # eval() fires during load marker written to tempdir, no exception raised
37
  ```
38
 
39
  **Note:** `keras_hub` must be imported before `load_model()`. This is satisfied
40
- automatically in any real deployment using keras_hub models the attack prerequisite
41
  is standard, not exceptional.
42
 
43
  **Note on tensorflow_text:** `assert_tf_libs_installed()` is a functional deployment
@@ -50,10 +50,10 @@ tokenizer in production).
50
  `rwkv7_tokenizer.py` calls `eval()` on every vocabulary entry string:
51
 
52
  ```python
53
- # line 117 RWKVTokenizerBase.__init__
54
  x = eval(line[line.index(" ") : line.rindex(" ")])
55
 
56
- # line 275 RWKVTokenizer.set_vocabulary
57
  repr_str = eval(line[line.index(" ") : line.rindex(" ")])
58
  ```
59
 
 
5
  - proof-of-concept
6
  ---
7
 
8
+ # PoC: RWKVTokenizer eval() - Arbitrary Code Execution via .keras Model File
9
 
10
  **Vulnerability:** `eval()` on attacker-controlled vocabulary in `keras_hub.models.RWKVTokenizer`
11
+ **Affected:** keras-hub 0.26.0 to 0.28.0 | keras 3.9.0 to 3.12.1
12
  **CWE:** CWE-95 (Eval Injection)
13
  **Bypasses:** `safe_mode=True` (keras default)
14
 
15
  ## What this repo contains
16
 
17
+ `malicious_rwkv_tokenizer.keras` - a crafted `.keras` model archive.
18
  When loaded with `keras.models.load_model()`, the `vocabulary` field in `config.json`
19
  reaches `eval()` inside `RWKVTokenizerBase.__init__` (line 117) and
20
  `RWKVTokenizer.set_vocabulary` (line 275) in `rwkv7_tokenizer.py`.
 
33
  import keras_hub # required: registers keras_hub>RWKVTokenizer in Keras object registry
34
 
35
  model = keras.models.load_model("malicious_rwkv_tokenizer.keras", safe_mode=True)
36
+ # eval() fires during load - marker written to tempdir, no exception raised
37
  ```
38
 
39
  **Note:** `keras_hub` must be imported before `load_model()`. This is satisfied
40
+ automatically in any real deployment using keras_hub models - the attack prerequisite
41
  is standard, not exceptional.
42
 
43
  **Note on tensorflow_text:** `assert_tf_libs_installed()` is a functional deployment
 
50
  `rwkv7_tokenizer.py` calls `eval()` on every vocabulary entry string:
51
 
52
  ```python
53
+ # line 117 - RWKVTokenizerBase.__init__
54
  x = eval(line[line.index(" ") : line.rindex(" ")])
55
 
56
+ # line 275 - RWKVTokenizer.set_vocabulary
57
  repr_str = eval(line[line.index(" ") : line.rindex(" ")])
58
  ```
59