ModelScan SavedModel TF Op Scanner Bypass PoC
Vulnerability
ModelScan's SavedModelTensorflowOpScan has an incomplete unsafe operators blocklist.
It only blocks 2 TensorFlow operations (ReadFile, WriteFile) out of ~1,461 registered
raw_ops. Many dangerous operations pass undetected, including MatchingFiles which
enables filesystem enumeration.
Impact
An attacker can create a malicious SavedModel that:
- Passes ModelScan security scanning with zero detected issues
- Enumerates sensitive filesystem paths when loaded (SSH keys, credentials, config files)
- Hides the attack inside normal-looking prediction functions
Files
poc.py- Full proof-of-concept scriptmalicious_model/- Pre-built malicious SavedModel
Reproduction
pip install modelscan[tensorflow] tensorflow
python poc.py
Affected
- modelscan <= 0.8.8
- Scanner:
modelscan.scanners.SavedModelTensorflowOpScan
- Downloads last month
- -
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support