Hugging Face's logo

xiaoyaoes
/
modelscan-regularizer-constraint-bypass

Keras
security-research
modelscan-bypass
regularizer
constraint
from-config
rce
Model card Files
xet
 Community

ModelScan Regularizer & Constraint from_config Bypass

What This Is

ModelScan only checks Lambda layers. Regularizers and constraints embedded inside layer configs (kernel_regularizer, bias_regularizer, kernel_constraint, bias_constraint) are completely ignored.

This .keras file uses both a custom regularizer and a custom constraint, each with malicious from_config(). ModelScan reports 0 Issues. Loading triggers both payloads.

Verify 

python3 poc.py

Attack Surface

Layer config sub-fields not scanned by ModelScan:

  • kernel_regularizer / bias_regularizer / activity_regularizer
  • kernel_constraint / bias_constraint
  • kernel_initializer / bias_initializer (separate bypass)

Disclosure

Submitted to ProtectAI via huntr.dev.

Downloads last month
11
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support