You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

MLflow Keras RCE PoC

This repository contains a proof-of-concept model to demonstrate a Remote Code Execution vulnerability in MLflow's handling of Keras models.

Vulnerability Details

The mlflow.keras.load_model function acts as a wrapper around tf.keras.models.load_model. It exposes the keras_model_kwargs parameter, which allows a user to pass safe_mode=False to the underlying Keras loader. This disables Keras's built-in protection against the deserialization of arbitrary code in Lambda layers, leading to RCE.

Reproduction Steps

Install dependencies:

pip install mlflow tensorflow huggingface_hub

Run the reproduction script:
```
python reproduce.py
```
Observe the "SUCCESS" message, which confirms the payload (touch /tmp/MLFLOW_KERAS_PWNED) was executed.

Downloads last month: -

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support