You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

Keras Native nested Lambda scanner-bypass PoC

This repository contains a .keras model-file security PoC for Huntr's Model File Vulnerability program.

The model contains a keras.layers.Lambda layer nested inside a child Sequential model. ModelScan's Keras scanner detects a top-level Lambda layer, but misses this nested Lambda because it only inspects the top-level config.layers array in config.json.

Files

  • nested_lambda.keras
  • top_lambda.keras โ€” control artifact with a top-level Lambda detected by the scanner
  • reproduce.py โ€” self-contained validation script for the scanner-bypass/output-manipulation evidence

Run:

python reproduce.py

Expected scanner behavior

Top-level Lambda control model:

case=top_lambda.keras
  source_modelscan_issues=['Lambda']
  recursive_lambda_count=1
    lambda_path=$.config.layers[1]

Nested Lambda bypass model:

case=nested_lambda.keras
  source_modelscan_issues=[] errors=0 skipped=0
  recursive_lambda_count=1
    lambda_path=$.config.layers[1].config.layers[1]

Keras reachability

Keras blocks the model with safe_mode=True, as expected:

keras_load_safe_mode_true=blocked: ValueError: Requested the deserialization of a `Lambda` layer whose `function` is a Python lambda.

When the model is loaded with safe_mode=False, the nested Lambda is reached during inference and returns attacker-controlled output:

keras_load_safe_mode_false_output=[1337.0]

Security boundary

This is not a Keras safe_mode=True bypass. The issue is a scanner bypass: a .keras artifact that contains an unsafe Lambda payload can be reported clean by non-recursive Keras scanner logic while still being reachable by Keras when unsafe deserialization is enabled.

Reproduction

reproduce.py extracts the Keras Native config.json, applies the same top-level-only Lambda check used by the vulnerable scanner logic, recursively locates nested Lambda layers, and loads the nested model with Keras to demonstrate the inference-time output change under safe_mode=False.

Official ModelScan CLI comparison:

modelscan -p top_lambda.keras
modelscan -p nested_lambda.keras

Expected result: top_lambda.keras reports one unsafe Lambda issue, while nested_lambda.keras reports no issues.

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support