---
library_name: tensorflow
tags:
- security-research
- tensorflow
- savedmodel
- modelscan
---

# TensorFlow SavedModel TextFileInitializer ModelScan Bypass PoC

This is a harmless proof-of-concept TensorFlow SavedModel for an authorized Huntr report.

The model contains `InitializeTableFromTextFileV2` and a model-controlled relative filename:

```text
../victim_workspace/secret.txt
```

ModelScan 0.8.8 reports zero issues for this `saved_model.pb`, while TensorFlow 2.21.0 loads the model and returns the first line of that local file through `serving_default`.

Run:

```bash
cd <repo-root>
python -m venv .venv
source .venv/bin/activate
python -m pip install -r requirements.txt
CUDA_VISIBLE_DEVICES=-1 python repro.py
```

Expected:

```json
{
  "modelscan_issue_count": 0,
  "leaked_expected_line": true,
  "visible_gpu_count": 0
}
```