metadata
license: mit
tags:
- security-research
- modelscan-bypass
- keras
Security Research — Keras Nested Lambda Scanner Bypass
This model is for authorized security research only.
This repository demonstrates a vulnerability in ProtectAI's modelscan scanner (v0.8.8) where Lambda layers nested inside Functional or Sequential submodels evade detection.
Vulnerability
modelscan checks top-level config.layers for class_name == "Lambda" but does not recurse into nested submodel configurations. A malicious Lambda layer inside a nested Functional model passes scanning with "No issues found" but executes arbitrary code on keras.models.load_model().
Affected
- modelscan <= 0.8.8
- Both .keras and .h5 format
- Both Functional and Sequential nesting
Disclosure
Responsible disclosure via Huntr MFV program.