YAML Metadata
Warning:
empty or missing yaml metadata in repo card
(https://huggingface.co/docs/hub/model-cards#model-card-metadata)
ModelScan Keras Scanner Bypass PoC
Summary
ModelScan 0.8.7 KerasLambdaDetectScan fails to detect malicious .keras files containing __lambda__ with arbitrary bytecode in nested config fields (e.g., layer activation).
The scanner only checks top-level layer.class_name == "Lambda" but Keras internally uses "__lambda__" (double underscores, lowercase) in nested serialization configs. This mismatch allows an attacker to embed RCE payloads that ModelScan reports as safe.
Reproduction
# 1. Generate the malicious .keras file
python3 create_malicious_keras.py
# 2. Scan with ModelScan (requires tensorflow)
pip install 'modelscan[tensorflow]'
modelscan scan -p modelscan_keras_bypass.keras
# Output: "No issues found!"
# 3. Load with Keras to trigger RCE (safe_mode=False)
python3 -c "
import keras
keras.config.enable_unsafe_deserialization()
keras.saving.load_model('modelscan_keras_bypass.keras')
"
Root Cause
In modelscan/scanners/keras/scan.py, _get_keras_operator_names():
lambda_layers = [
layer.get("config", {}).get("function", {})
for layer in model_config_data.get("config", {}).get("layers", {})
if layer.get("class_name", {}) == "Lambda"
]
Two flaws:
- Only checks
class_name == "Lambda"โ misses"__lambda__"used by Keras serialization - Only checks top-level layers โ never inspects nested config fields like
activation,loss, etc.
Files
modelscan_keras_bypass.kerasโ malicious model file (RCE via__lambda__in activation)create_malicious_keras.pyโ script to generate the PoC
- Downloads last month
- 21
Inference Providers
NEW
This model isn't deployed by any Inference Provider.
๐
Ask for provider support