Instructions to use wladislax/tensorflow-savedmodel-modelscan-bypass with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- TF-Keras
How to use wladislax/tensorflow-savedmodel-modelscan-bypass with TF-Keras:
# Note: 'keras<3.x' or 'tf_keras' must be installed (legacy) # See https://github.com/keras-team/tf-keras for more details. from huggingface_hub import from_pretrained_keras model = from_pretrained_keras("wladislax/tensorflow-savedmodel-modelscan-bypass") - Notebooks
- Google Colab
- Kaggle
| license: other | |
| tags: | |
| - security | |
| - vulnerability-research | |
| - proof-of-concept | |
| - tensorflow | |
| - savedmodel | |
| - not-a-model | |
| viewer: false | |
| # β οΈ Security PoC β NOT a usable model | |
| Proof-of-concept malicious **TensorFlow SavedModel** files for a [huntr](https://huntr.com) | |
| "Model Format Vulnerability" submission (Protect AI / Palo Alto Prisma AIRS). They | |
| write attacker-chosen files when run, while being reported **clean by Protect AI | |
| ModelScan**. Published only for responsible-disclosure reproduction β do not run | |
| them on a machine you care about. | |
| ## What it demonstrates | |
| ModelScan's SavedModel scanner only denylists two ops (`ReadFile`, `WriteFile`). | |
| TensorFlow has many other file-I/O ops; embedding them gives the same arbitrary | |
| file write while the scanner reports 0 issues. | |
| | Dir | Op | Effect | ModelScan | | |
| |-----|----|--------|-----------| | |
| | `evil_printv2` | `PrintV2` (`tf.print(..., output_stream="file://PATH")`) | writes attacker **content** to attacker **path** | **0 issues** | | |
| | `evil_savev2` | `SaveV2` | writes checkpoint files at attacker path | **0 issues** | | |
| | `naive_writefile` | `WriteFile` (control) | same impact | **HIGH β detected** | | |
| ## Reproduce | |
| ```bash | |
| pip install tensorflow modelscan | |
| python build_tf_poc.py # regenerates the three SavedModels | |
| python load_run.py evil_printv2 # inference -> writes PWNED_printv2.txt (attacker content) | |
| modelscan -p evil_printv2 -r json # -> total_issues: 0 (bypass) | |
| modelscan -p naive_writefile # -> HIGH Tensorflow.WriteFile (control is caught) | |
| ``` | |
| (ModelScan must be installed with the `tensorflow` extra so its SavedModel scanner actually parses the graph.) | |
| ## Files | |
| - `evil_printv2/`, `evil_savev2/`, `naive_writefile/` β the SavedModel PoCs | |
| - `build_tf_poc.py` β regenerates them deterministically | |
| - `load_run.py` β loads a SavedModel and runs inference (triggers the write) | |