Keras EinsumDense equation MFV PoC

This repository is a benign security research proof of concept for a Model File Vulnerability report. It demonstrates output manipulation hidden inside a Keras Native .keras model file.

Files

  • control_einsumdense_matmul.keras
  • malicious_einsumdense_transposed_equation.keras
  • reproduce.py

Affected path

Tested with:

  • Keras 3.15.0
  • TensorFlow 2.19.0
  • modelscan 0.8.8

Trigger:

keras.saving.load_model("malicious_einsumdense_transposed_equation.keras", safe_mode=True)

followed by normal inference through keras.layers.EinsumDense.

Artifact structure

The malicious model differs from the control model by one serialized Keras config field:

{
  "class_name": "EinsumDense",
  "config": {
    "name": "einsum_gate",
    "equation": "ab,cb->ac"
  }
}

The control model uses equation: "ab,bc->ac". Both equations accept the same stored kernel shape, but the malicious equation changes how the file-stored kernel is applied during inference.

Reproduction

python3 -m venv /tmp/keras-einsumdense-poc
. /tmp/keras-einsumdense-poc/bin/activate
pip install 'keras==3.15.0' 'tensorflow==2.19.0' 'modelscan==0.8.8'
python reproduce.py

Expected result:

  • benign rows keep the same predicted classes: [1, 1]
  • the trigger row changes from class 0 in the control model to class 1 in the malicious model
  • modelscan reports No issues found
  • modelscan skips the .keras:config.json member where the malicious equation is stored

Public artifact URLs

Hashes

control_einsumdense_matmul.keras
sha256: 3d0683b4950cb098c0d1612942db5810a4b1d0ee9f31b4d491a9fc2770c5a7c6

malicious_einsumdense_transposed_equation.keras
sha256: e24c422ec533f6f9c9e76cc00f694fac9ea196c3df4e2a33c9a882c4184afe4e
Downloads last month
73
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support