HDF5 ModelScan TorchModuleWrapper Bypass PoC

This is a harmless proof-of-concept for an HDF5/Keras-H5 ModelScan scanner gap.

The .h5 file stores a Keras model_config containing a keras.layers.TorchModuleWrapper layer. The wrapper config embeds a base64-encoded pickle payload in the module field. Keras treats this path as unsafe and blocks it with default safe_mode=True; when unsafe deserialization is explicitly enabled with safe_mode=False, the path reaches torch.load(..., weights_only=False).

ModelScan 0.8.8 scans the H5 file with H5LambdaDetectScan and reports 0 issues and 0 errors, because the H5 scanner only checks for Lambda layers in model_config.

The payload is non-destructive. It only writes h5_torch_wrapper_marker.txt containing H5_TORCH_WRAPPER_BYPASS.

Files

  • generate_h5_torch_wrapper_poc.py generates the H5 marker payload.
  • poc_h5_torch_wrapper.h5 is the PoC model file.
  • verify_poc.py runs ModelScan, loads the file with Keras, and checks marker behavior.
  • modelscan_result_h5_torch_wrapper.json is captured scanner output.
  • huntr_report_draft.md is a report draft.

Reproduce

pip install -r requirements.txt
python generate_h5_torch_wrapper_poc.py
python verify_poc.py

Expected result:

ModelScan version: 0.8.8
ModelScan total_scanned: 1
ModelScan issues: 0
ModelScan errors: 0
Marker after safe_mode=True: False
Marker after safe_mode=False: True
Marker contents: H5_TORCH_WRAPPER_BYPASS

Scope Note

This is not a claim that default Keras loading executes the payload. Default safe_mode=True blocks the unsafe TorchModuleWrapper deserialization path.

The reported issue is that ModelScan reports 0 issues and 0 errors for an HDF5/Keras-H5 file containing an unsafe construct that Keras itself treats as dangerous. ModelScan flags Lambda layers in H5 model_config, but it does not flag TorchModuleWrapper.

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support