wladislax/tensorflow-savedmodel-modelscan-bypass

⚠️ Security PoC — NOT a usable model

Proof-of-concept malicious TensorFlow SavedModel files for a huntr "Model Format Vulnerability" submission (Protect AI / Palo Alto Prisma AIRS). They write attacker-chosen files when run, while being reported clean by Protect AI ModelScan. Published only for responsible-disclosure reproduction — do not run them on a machine you care about.

What it demonstrates

ModelScan's SavedModel scanner only denylists two ops (ReadFile, WriteFile). TensorFlow has many other file-I/O ops; embedding them gives the same arbitrary file write while the scanner reports 0 issues.

Dir	Op	Effect	ModelScan
evil_printv2	PrintV2 (tf.print(..., output_stream="file://PATH"))	writes attacker content to attacker path	0 issues
evil_savev2	SaveV2	writes checkpoint files at attacker path	0 issues
naive_writefile	WriteFile (control)	same impact	HIGH — detected

Reproduce

pip install tensorflow modelscan
python build_tf_poc.py            # regenerates the three SavedModels
python load_run.py evil_printv2   # inference -> writes PWNED_printv2.txt (attacker content)
modelscan -p evil_printv2 -r json # -> total_issues: 0  (bypass)
modelscan -p naive_writefile      # -> HIGH Tensorflow.WriteFile  (control is caught)

(ModelScan must be installed with the tensorflow extra so its SavedModel scanner actually parses the graph.)

Files

• evil_printv2/, evil_savev2/, naive_writefile/ — the SavedModel PoCs
• build_tf_poc.py — regenerates them deterministically
• load_run.py — loads a SavedModel and runs inference (triggers the write)