Hugging Face's logo

pragnyanramtha
/
keras-native-nested-lambda-modelscan-bypass

Keras
security
modelscan
model-file-vulnerability
Model card Files
xet
 Community

Keras Native Nested Lambda ModelScan Bypass PoC

This repository is a benign security proof of concept for the native Keras .keras model format. The model contains a nested keras.layers.Lambda layer whose inline Python lambda writes a local marker file when the artifact is loaded with safe_mode=False.

Files

  • nested_lambda_native.keras - native Keras zip model containing the nested Lambda layer.
  • top_level_lambda_control.keras - control artifact with a top-level Lambda that ModelScan does detect.
  • verify_poc.py - verifies the artifact hash, inspects config.json, runs ModelScan when installed, and demonstrates Keras runtime behavior.
  • results.json - captured local validation output.
  • modelscan_nested_lambda.json - ModelScan JSON output for the PoC artifact.
  • modelscan_top_level_control.json - ModelScan JSON output for a control artifact with a top-level Lambda.

Reproduction

Use Python 3.12 and install the tested packages:

python -m pip install keras==3.14.1 tensorflow==2.21.0 modelscan==0.8.8 numpy==2.4.4 h5py==3.14.0
python verify_poc.py

Expected behavior:

  • keras.saving.load_model(..., safe_mode=True) blocks the nested Lambda as unsafe.
  • keras.saving.load_model(..., safe_mode=False) creates keras_native_marker.txt with the marker string KERAS_NATIVE_NESTED_LAMBDA_EXECUTED.
  • modelscan scan -p nested_lambda_native.keras -r json --show-skipped reports zero issues for the nested-Lambda model.
  • A top-level Lambda control is detected by ModelScan as Use of unsafe operator 'Lambda' from module 'Keras', showing the bypass is caused by nested config traversal.

Scanner Output Summary

Tested scanner: ModelScan 0.8.8.

PoC artifact:

  • Total issues: 0
  • Scanned files: nested_lambda_native.keras
  • Nested Lambda location: root.config.layers[1].config.layers[1]
  • Top-level layers visible to the current ModelScan Keras logic: InputLayer, Functional

Control artifact:

  • Total issues: 1
  • Severity: MEDIUM
  • Operator: Lambda
  • Source: top_level_lambda_control.keras:config.json

Artifact Details

  • File: nested_lambda_native.keras
  • SHA256: 066bd70a8946b41400372d8312704b939c8d233b9e61e895527ade3d1fe3783e
  • Size: 18,590 bytes

Security Impact

ModelScan's Keras native scanner detects top-level Lambda layers but misses Lambda layers nested inside a Functional model contained by the outer model. A user or service relying on ModelScan to identify unsafe Lambda deserialization in .keras files can receive a zero-issue scan result even though Keras itself later reaches the embedded Lambda and, when unsafe deserialization is enabled, executes the lambda's Python code during model loading.

This PoC is intentionally benign and only writes a local marker file. It does not perform network access, persistence, credential access, or destructive actions.

Mitigation

Recursively traverse the entire Keras config.json object graph for unsafe layer classes and function configs rather than checking only top-level config.layers. Treat any nested class_name == "Lambda" or serialized __lambda__ function as unsafe regardless of depth.

Downloads last month
28
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support