YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
tensorflowjs HDF5 converter arbitrary file read β proof of concept
tensorflowjs (PyPI 4.22.0) converts Keras .h5 models for the browser. Its reader opens the model with raw h5py and reads weight datasets (keras_h5_conversion.py: _ensure_h5file line 150 h5py.File, _convert_h5_group line 76 np.array(group[weight_name])) without rejecting HDF5 external-storage datasets, external links, or virtual datasets. A malicious .h5 whose weight dataset uses external storage makes the converter open and read an arbitrary host file and write its bytes into the generated tfjs weights.
Reached from the default path: tensorflowjs_converter --input_format keras model.h5 out/ defaults to tfjs_layers_model output (converter.py:552-553), which uses the raw h5py reader (the Keras loader path is only for graph-model output).
Keras guards this exact primitive (saving_lib.py rejects dataset.external / virtual) and received CVE-2026-1669 / CVE-2025-9905. tensorflowjs uses its own reader and has no guard.
Files
poc.pyβ self contained proof. Builds a malicious .h5 with an external-storage weight dataset and reads it via tensorflowjs's reader (_convert_h5_group), showing an out-of-model secret and/etc/passwdreturned as weight data.malicious.h5β a sample model whose weight dataset points at/etc/passwd.log.txtβ a captured run.
Run
pip install tensorflowjs
python3 poc.py
Impact
A pipeline that converts user supplied .h5 models with tensorflowjs (model hub, shared conversion server, CI) discloses arbitrary local files to an attacker; the bytes are written into the published tfjs output, so convert-and-publish exfiltrates them. Unauthenticated, runs with the converting process privileges.
Fix
Reject external-storage datasets, external links, and virtual datasets before reading, mirroring the Keras saving_lib guard, or set an external file prefix that confines references to the model directory.