Hugging Face's logo

xiaoyaoes
/
modelscan-regularizer-constraint-bypass

Keras
security-research
modelscan-bypass
regularizer
constraint
from-config
rce
Model card Files
xet
 Community
modelscan-regularizer-constraint-bypass / README.md
xiaoyaoes's picture
xiaoyaoes
Regularizer+Constraint from_config bypass
9e64981
preview code
|
raw
history blame contribute delete
913 Bytes
metadata 
library_name: keras
tags:
  - security-research
  - modelscan-bypass
  - regularizer
  - constraint
  - from-config
  - rce

ModelScan Regularizer & Constraint from_config Bypass

What This Is

ModelScan only checks Lambda layers. Regularizers and constraints embedded inside layer configs (kernel_regularizer, bias_regularizer, kernel_constraint, bias_constraint) are completely ignored.

This .keras file uses both a custom regularizer and a custom constraint, each with malicious from_config(). ModelScan reports 0 Issues. Loading triggers both payloads.

Verify 

python3 poc.py

Attack Surface

Layer config sub-fields not scanned by ModelScan:

  • kernel_regularizer / bias_regularizer / activity_regularizer
  • kernel_constraint / bias_constraint
  • kernel_initializer / bias_initializer (separate bypass)

Disclosure

Submitted to ProtectAI via huntr.dev.