Instructions to use captainarp/h5-torch-wrapper-modelscan-bypass-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- Keras
How to use captainarp/h5-torch-wrapper-modelscan-bypass-poc with Keras:
# Available backend options are: "jax", "torch", "tensorflow". import os os.environ["KERAS_BACKEND"] = "jax" import keras model = keras.saving.load_model("hf://captainarp/h5-torch-wrapper-modelscan-bypass-poc") - Notebooks
- Google Colab
- Kaggle
HDF5 ModelScan TorchModuleWrapper Bypass PoC
This is a harmless proof-of-concept for an HDF5/Keras-H5 ModelScan scanner gap.
The .h5 file stores a Keras model_config containing a keras.layers.TorchModuleWrapper layer. The wrapper config embeds a base64-encoded pickle payload in the module field. Keras treats this path as unsafe and blocks it with default safe_mode=True; when unsafe deserialization is explicitly enabled with safe_mode=False, the path reaches torch.load(..., weights_only=False).
ModelScan 0.8.8 scans the H5 file with H5LambdaDetectScan and reports 0 issues and 0 errors, because the H5 scanner only checks for Lambda layers in model_config.
The payload is non-destructive. It only writes h5_torch_wrapper_marker.txt containing H5_TORCH_WRAPPER_BYPASS.
Files
generate_h5_torch_wrapper_poc.pygenerates the H5 marker payload.poc_h5_torch_wrapper.h5is the PoC model file.verify_poc.pyruns ModelScan, loads the file with Keras, and checks marker behavior.modelscan_result_h5_torch_wrapper.jsonis captured scanner output.huntr_report_draft.mdis a report draft.
Reproduce
pip install -r requirements.txt
python generate_h5_torch_wrapper_poc.py
python verify_poc.py
Expected result:
ModelScan version: 0.8.8
ModelScan total_scanned: 1
ModelScan issues: 0
ModelScan errors: 0
Marker after safe_mode=True: False
Marker after safe_mode=False: True
Marker contents: H5_TORCH_WRAPPER_BYPASS
Scope Note
This is not a claim that default Keras loading executes the payload. Default safe_mode=True blocks the unsafe TorchModuleWrapper deserialization path.
The reported issue is that ModelScan reports 0 issues and 0 errors for an HDF5/Keras-H5 file containing an unsafe construct that Keras itself treats as dangerous. ModelScan flags Lambda layers in H5 model_config, but it does not flag TorchModuleWrapper.
- Downloads last month
- -