Instructions to use yanivfi1978/modelscan-keras-bypass-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- Keras
How to use yanivfi1978/modelscan-keras-bypass-poc with Keras:
# Available backend options are: "jax", "torch", "tensorflow". import os os.environ["KERAS_BACKEND"] = "jax" import keras model = keras.saving.load_model("hf://yanivfi1978/modelscan-keras-bypass-poc") - Notebooks
- Google Colab
- Kaggle
YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ModelScan Keras Scanner Bypass PoC
Summary
ModelScan 0.8.7 KerasLambdaDetectScan fails to detect malicious .keras files containing __lambda__ with arbitrary bytecode in nested config fields (e.g., layer activation).
The scanner only checks top-level layer.class_name == "Lambda" but Keras internally uses "__lambda__" (double underscores, lowercase) in nested serialization configs. This mismatch allows an attacker to embed RCE payloads that ModelScan reports as safe.
Reproduction
# 1. Generate the malicious .keras file
python3 create_malicious_keras.py
# 2. Scan with ModelScan (requires tensorflow)
pip install 'modelscan[tensorflow]'
modelscan scan -p modelscan_keras_bypass.keras
# Output: "No issues found!"
# 3. Load with Keras to trigger RCE (safe_mode=False)
python3 -c "
import keras
keras.config.enable_unsafe_deserialization()
keras.saving.load_model('modelscan_keras_bypass.keras')
"
Root Cause
In modelscan/scanners/keras/scan.py, _get_keras_operator_names():
lambda_layers = [
layer.get("config", {}).get("function", {})
for layer in model_config_data.get("config", {}).get("layers", {})
if layer.get("class_name", {}) == "Lambda"
]
Two flaws:
- Only checks
class_name == "Lambda"โ misses"__lambda__"used by Keras serialization - Only checks top-level layers โ never inspects nested config fields like
activation,loss, etc.
Files
modelscan_keras_bypass.kerasโ malicious model file (RCE via__lambda__in activation)create_malicious_keras.pyโ script to generate the PoC
- Downloads last month
- -
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support