| # Huntr Form Copy | |
| ## Target | |
| Keras Native (`.keras`) | |
| ## Title | |
| ModelScan Keras V3 scanner misses `TorchModuleWrapper` unsafe deserialization surface in `.keras` files | |
| ## Hugging Face PoC | |
| https://huggingface.co/fsabiu/keras-modelscan-torchmodulewrapper-coverage-gap | |
| ## Description | |
| Use the full local draft: | |
| ```text | |
| 01-mfv-model-file-vulnerabilities/report-drafts/F-MFV-001-modelscan-torchmodulewrapper-gap.md | |
| ``` | |
| ## Short Impact Statement | |
| ModelScan 0.8.8 returns a clean scan for a Keras V3 `.keras` file containing `TorchModuleWrapper`, while Keras 3.14.0 blocks the same class in `safe_mode=True` because it can deserialize a `torch.nn.Module` through `torch.load()`. The same ModelScan setup correctly flags a benign Lambda positive control, so this is a targeted scanner coverage gap rather than a broken scanner installation. | |
| ## Upload Checklist | |
| - [x] Upload all files in this directory to a public Hugging Face repo. | |
| - [x] Confirm Hugging Face SHA256 matches `SHA256SUMS.txt`. | |
| - [ ] Paste repo URL into the Huntr form. | |
| - [ ] Submit as scanner coverage gap / scanner bypass. | |
| - [ ] Do not present as a new Keras runtime RCE. | |