Keras VDS safe_mode Bypass PoC
Security Research - Responsible Disclosure via huntr
Vulnerability
Keras <= 3.13.2 _verify_dataset() only checks dataset.external (ExternalLink)
but NOT dataset.is_virtual (VirtualDataset). A malicious model using HDF5 Virtual
Datasets transparently reads data from external H5 files on the victim's filesystem,
bypassing safe_mode=True.
Impact: Exfiltration of HDF5 files from victim's machine (other models, datasets, cached weights) when loading a malicious model.
Attack Vectors (confirmed working)
| Loading Method | VDS Works? | Notes |
|---|---|---|
load_model('model/') unzipped dir |
YES | HuggingFace Hub format |
model.load_weights('file.weights.h5') |
YES | Always disk-backed |
load_model('model.h5') legacy format |
YES | Direct H5 load |
HuggingFace from_pretrained() |
YES | Downloads to disk |
Large .keras zip (>available RAM) |
YES | Extracted to temp dir |
Reproduction
KERAS_BACKEND=numpy python3 poc_final.py
Root Cause
# keras/src/saving/saving_lib.py, _verify_dataset()
# Checks this: dataset.external -> None for VDS (PASSES!)
# Misses this: dataset.is_virtual -> True for VDS (NOT CHECKED)
# VDS reads from: dataset.virtual_sources() -> external file refs
Fix
Add dataset.is_virtual check to _verify_dataset():
if dataset.is_virtual:
raise ValueError("Virtual datasets referencing external files are not allowed")
- Downloads last month
- -
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support