You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

TensorFlow SavedModel AssetFileDef traversal PoC

This PoC demonstrates that a malicious saved_model.pb can set MetaGraphDef.asset_file_def[].filename to a traversal path such as ../../secret.txt. TensorFlow joins this value with <saved_model>/assets without containment checks. With asset-consuming load-time ops such as lookup table initializers, tf.saved_model.load() reads the outside file during model load.

Tested locally with tensorflow==2.20.0.

Run

python3.11 -m venv .venv-tf-sm-poc
. .venv-tf-sm-poc/bin/activate
pip install 'tensorflow==2.20.0'
python tf_savedmodel_asset_traversal_poc.py

Expected success line:

[SUCCESS] Patched SavedModel loaded data from outside its assets/ directory during tf.saved_model.load().

Impact

A scanner or consumer that treats a SavedModel as self-contained can be tricked into reading arbitrary local files accessible to the loading process, including during model load. Save-time TensorFlow emits asset basenames, but load-time accepts absolute/traversal filenames from saved_model.pb.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support