Hugging Face's logo

Rammadaeus
/
poc-keras-rwkv-eval-gadget

Keras
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

PoC: Keras RWKV Tokenizer eval() Gadget โ€” safe_mode Bypass

Format: Keras (.keras) Target: keras + keras-hub CWE: CWE-94 (Code Injection)

Vulnerability

A crafted .keras file achieves arbitrary code execution when loaded with keras.saving.load_model() even with safe_mode=True. The RWKVTokenizer class from keras-hub (an allowlisted package) calls eval() on attacker-controlled vocabulary data.

Reproduction 

pip install keras keras-hub
python3 -c "
import keras, os
marker = '/tmp/rwkv_ace_proof.txt'
if os.path.exists(marker): os.remove(marker)
try: keras.saving.load_model('poc_rwkv_ace.keras', safe_mode=True)
except: pass
print('ACE:', os.path.exists(marker))
"

Tested: Keras 3.13.2, keras-hub 0.26.0

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support