Instructions to use jhguighukjghkj/keras-nested-lambda-modelscan-bypass-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- Keras
How to use jhguighukjghkj/keras-nested-lambda-modelscan-bypass-poc with Keras:
# Available backend options are: "jax", "torch", "tensorflow". import os os.environ["KERAS_BACKEND"] = "jax" import keras model = keras.saving.load_model("hf://jhguighukjghkj/keras-nested-lambda-modelscan-bypass-poc") - Notebooks
- Google Colab
- Kaggle
Keras Native nested Lambda scanner-bypass PoC
This repository contains a .keras model-file security PoC for Huntr's Model File Vulnerability program.
The model contains a keras.layers.Lambda layer nested inside a child Sequential model. ModelScan's Keras scanner detects a top-level Lambda layer, but misses this nested Lambda because it only inspects the top-level config.layers array in config.json.
Files
nested_lambda.kerastop_lambda.kerasโ control artifact with a top-level Lambda detected by the scannerreproduce.pyโ self-contained validation script for the scanner-bypass/output-manipulation evidence
Run:
python reproduce.py
Expected scanner behavior
Top-level Lambda control model:
case=top_lambda.keras
source_modelscan_issues=['Lambda']
recursive_lambda_count=1
lambda_path=$.config.layers[1]
Nested Lambda bypass model:
case=nested_lambda.keras
source_modelscan_issues=[] errors=0 skipped=0
recursive_lambda_count=1
lambda_path=$.config.layers[1].config.layers[1]
Keras reachability
Keras blocks the model with safe_mode=True, as expected:
keras_load_safe_mode_true=blocked: ValueError: Requested the deserialization of a `Lambda` layer whose `function` is a Python lambda.
When the model is loaded with safe_mode=False, the nested Lambda is reached during inference and returns attacker-controlled output:
keras_load_safe_mode_false_output=[1337.0]
Security boundary
This is not a Keras safe_mode=True bypass. The issue is a scanner bypass: a .keras artifact that contains an unsafe Lambda payload can be reported clean by non-recursive Keras scanner logic while still being reachable by Keras when unsafe deserialization is enabled.
Reproduction
reproduce.py extracts the Keras Native config.json, applies the same top-level-only Lambda check used by the vulnerable scanner logic, recursively locates nested Lambda layers, and loads the nested model with Keras to demonstrate the inference-time output change under safe_mode=False.
Official ModelScan CLI comparison:
modelscan -p top_lambda.keras
modelscan -p nested_lambda.keras
Expected result: top_lambda.keras reports one unsafe Lambda issue, while nested_lambda.keras reports no issues.
- Downloads last month
- -