TensorFlow SavedModel TextFileInitializer ModelScan Bypass PoC

This is a harmless proof-of-concept TensorFlow SavedModel for an authorized Huntr report.

The model contains InitializeTableFromTextFileV2 and a model-controlled relative filename:

../victim_workspace/secret.txt

ModelScan 0.8.8 reports zero issues for this saved_model.pb, while TensorFlow 2.21.0 loads the model and returns the first line of that local file through serving_default.

Run:

cd <repo-root>
python -m venv .venv
source .venv/bin/activate
python -m pip install -r requirements.txt
CUDA_VISIBLE_DEVICES=-1 python repro.py

Expected:

{
  "modelscan_issue_count": 0,
  "leaked_expected_line": true,
  "visible_gpu_count": 0
}

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support