Flax msgpack_restore trigger backdoor PoC
This repository is a benign security research proof of concept for a Huntr Model File Vulnerability submission.
It demonstrates a Flax .flax msgpack parameter file that carries a trigger-specific backdoor for a fixed Flax model architecture. The malicious parameter file loads with flax.serialization.msgpack_restore(...) and changes only inputs matching:
x[:, 0] > 900 and x[:, 1] < -900
modelscan 0.8.8 reports No issues found because the .flax file is skipped.
Files
control_tiny_trigger_net.flax: control Flax msgpack params.malicious_tiny_trigger_net.flax: malicious Flax msgpack params with trigger detector weights.reproduce.py: verifier for load, inference, and scanner posture.
Tested Versions
- Flax:
0.12.7 - JAX:
0.10.2 - Scanner:
modelscan 0.8.8 - Target format label:
Flax (.flax) - Google
Reproduction
python -m venv /tmp/flax-msgpack-restore-poc-venv
. /tmp/flax-msgpack-restore-poc-venv/bin/activate
pip install 'flax' 'jax' 'modelscan==0.8.8'
curl -L -o control_tiny_trigger_net.flax \
https://huggingface.co/hacnho/flax-msgpack-restore-trigger-poc/resolve/main/control_tiny_trigger_net.flax
curl -L -o malicious_tiny_trigger_net.flax \
https://huggingface.co/hacnho/flax-msgpack-restore-trigger-poc/resolve/main/malicious_tiny_trigger_net.flax
curl -L -o reproduce.py \
https://huggingface.co/hacnho/flax-msgpack-restore-trigger-poc/resolve/main/reproduce.py
python reproduce.py control_tiny_trigger_net.flax malicious_tiny_trigger_net.flax
Expected JSON fields:
benign_classes_match: true
control_trigger_classes: [1, 1]
malicious_trigger_classes: [0, 1]
trigger_flips_first_row: true
modelscan.malicious.no_issues_found: true
This is not a parser crash or DoS. It is a scanner-clean, trigger-specific output manipulation embedded in a Flax parameter file.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support