---
license: mit
tags:
- security-research
- modelscan-bypass
- keras
---

# Security Research — Keras Nested Lambda Scanner Bypass

**This model is for authorized security research only.**

This repository demonstrates a vulnerability in ProtectAI's modelscan scanner (v0.8.8) where Lambda layers nested inside Functional or Sequential submodels evade detection.

## Vulnerability

modelscan checks top-level `config.layers` for `class_name == "Lambda"` but does not recurse into nested submodel configurations. A malicious Lambda layer inside a nested Functional model passes scanning with "No issues found" but executes arbitrary code on `keras.models.load_model()`.

## Affected

- modelscan <= 0.8.8
- Both .keras and .h5 format
- Both Functional and Sequential nesting

## Disclosure

Responsible disclosure via Huntr MFV program.