--- library_name: keras tags: - security-research - model-file-vulnerability - keras - mfv --- # Keras MelSpectrogram max_freq trigger PoC This is a benign security research PoC for the Huntr Model File Vulnerability program. Files: - `control_melspectrogram_maxfreq_8000.keras` - `malicious_melspectrogram_maxfreq_1000.keras` - `reproduce.py` - `requirements.txt` The malicious `.keras` file differs from the control by one serialized config field: ```text config.json:MelSpectrogram(name=mel_gate).max_freq control: 8000.0 malicious: 1000.0 ``` Reproduction: ```bash python -m pip install -r requirements.txt python reproduce.py control_melspectrogram_maxfreq_8000.keras malicious_melspectrogram_maxfreq_1000.keras ``` Expected result: ```text benign preds: control [1, 1], malicious [1, 1] trigger preds: control [0, 1], malicious [1, 1] target bin: 76.72 -> near 0 modelscan: No issues found ``` Tested with `keras==3.15.0`, `tensorflow==2.19.0`, and `modelscan==0.8.8`. Public files: - Control: https://huggingface.co/hacnho/keras-melspectrogram-maxfreq-trigger-poc/resolve/main/control_melspectrogram_maxfreq_8000.keras - Malicious: https://huggingface.co/hacnho/keras-melspectrogram-maxfreq-trigger-poc/resolve/main/malicious_melspectrogram_maxfreq_1000.keras - Reproducer: https://huggingface.co/hacnho/keras-melspectrogram-maxfreq-trigger-poc/resolve/main/reproduce.py