Keras MelSpectrogram max_freq trigger PoC

This is a benign security research PoC for the Huntr Model File Vulnerability program.

Files:

  • control_melspectrogram_maxfreq_8000.keras
  • malicious_melspectrogram_maxfreq_1000.keras
  • reproduce.py
  • requirements.txt

The malicious .keras file differs from the control by one serialized config field:

config.json:MelSpectrogram(name=mel_gate).max_freq
control:   8000.0
malicious: 1000.0

Reproduction:

python -m pip install -r requirements.txt
python reproduce.py control_melspectrogram_maxfreq_8000.keras malicious_melspectrogram_maxfreq_1000.keras

Expected result:

benign preds: control [1, 1], malicious [1, 1]
trigger preds: control [0, 1], malicious [1, 1]
target bin: 76.72 -> near 0
modelscan: No issues found

Tested with keras==3.15.0, tensorflow==2.19.0, and modelscan==0.8.8.

Public files:

Downloads last month
101
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support