| license: mit | |
| tags: | |
| - security-research | |
| - modelscan-bypass | |
| - keras | |
| # Security Research — Keras Nested Lambda Scanner Bypass | |
| **This model is for authorized security research only.** | |
| This repository demonstrates a vulnerability in ProtectAI's modelscan scanner (v0.8.8) where Lambda layers nested inside Functional or Sequential submodels evade detection. | |
| ## Vulnerability | |
| modelscan checks top-level `config.layers` for `class_name == "Lambda"` but does not recurse into nested submodel configurations. A malicious Lambda layer inside a nested Functional model passes scanning with "No issues found" but executes arbitrary code on `keras.models.load_model()`. | |
| ## Affected | |
| - modelscan <= 0.8.8 | |
| - Both .keras and .h5 format | |
| - Both Functional and Sequential nesting | |
| ## Disclosure | |
| Responsible disclosure via Huntr MFV program. | |