| --- |
| license: mit |
| --- |
| |
| # ModelScan Nested Keras Lambda Layer Detection Bypass — PoC |
|
|
| This repository contains a proof-of-concept `.keras` model file for a detection |
| bypass in [protectai/modelscan](https://github.com/protectai/modelscan) (v0.8.6). |
|
|
| ## File |
| - `nested_lambda_poc.keras` — a Keras model whose malicious `Lambda` layer is |
| nested inside an inner `Sequential` sub-model. |
|
|
| ## Behavior |
| - ModelScan 0.8.6 only inspects the top-level `config.layers` list, so it reports |
| **"No issues found"** for this file. |
| - An identical Lambda at the top level is correctly flagged as MEDIUM severity. |
| - The nested Lambda still executes arbitrary code at `keras.models.load_model()` time. |
|
|
| This PoC is shared privately (gated, manual review) for vulnerability disclosure |
| purposes only. |
|
|
