| library_name: keras | |
| tags: | |
| - security-research | |
| - modelscan-bypass | |
| - regularizer | |
| - constraint | |
| - from-config | |
| - rce | |
| # ModelScan Regularizer & Constraint from_config Bypass | |
| ## What This Is | |
| ModelScan only checks Lambda layers. Regularizers and constraints embedded inside layer configs (`kernel_regularizer`, `bias_regularizer`, `kernel_constraint`, `bias_constraint`) are **completely ignored**. | |
| This .keras file uses both a custom regularizer and a custom constraint, each with malicious `from_config()`. ModelScan reports **0 Issues**. Loading triggers both payloads. | |
| ## Verify | |
| ```bash | |
| python3 poc.py | |
| ``` | |
| ## Attack Surface | |
| Layer config sub-fields not scanned by ModelScan: | |
| - `kernel_regularizer` / `bias_regularizer` / `activity_regularizer` | |
| - `kernel_constraint` / `bias_constraint` | |
| - `kernel_initializer` / `bias_initializer` (separate bypass) | |
| ## Disclosure | |
| Submitted to ProtectAI via huntr.dev. | |