File size: 913 Bytes
9e64981 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | ---
library_name: keras
tags:
- security-research
- modelscan-bypass
- regularizer
- constraint
- from-config
- rce
---
# ModelScan Regularizer & Constraint from_config Bypass
## What This Is
ModelScan only checks Lambda layers. Regularizers and constraints embedded inside layer configs (`kernel_regularizer`, `bias_regularizer`, `kernel_constraint`, `bias_constraint`) are **completely ignored**.
This .keras file uses both a custom regularizer and a custom constraint, each with malicious `from_config()`. ModelScan reports **0 Issues**. Loading triggers both payloads.
## Verify
```bash
python3 poc.py
```
## Attack Surface
Layer config sub-fields not scanned by ModelScan:
- `kernel_regularizer` / `bias_regularizer` / `activity_regularizer`
- `kernel_constraint` / `bias_constraint`
- `kernel_initializer` / `bias_initializer` (separate bypass)
## Disclosure
Submitted to ProtectAI via huntr.dev.
|