Hugging Face's logo

sfwani
/
mfv-tf-savedmodel-scanner-bypass

TF-Keras
security
mfv
tensorflow
savedmodel
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

TensorFlow SavedModel Scanner Bypass PoC

Vulnerability: Multiple dangerous TF operations bypass ModelScan detection in SavedModel format Impact: Arbitrary file write + info leak at model load time, undetected by all scanners Affected: TensorFlow SavedModel format loaded via tf.saved_model.load() Scanner Bypassed: ModelScan 0.8.8 (ProtectAI)

Files

  • malicious_savedmodel/ - SavedModel that writes files at load time (passes ModelScan)
  • create_v2_bypass.py - Script to create the malicious model and verify the bypass

Reproduction 

pip install tensorflow modelscan

# Scan the model - reports clean
modelscan --path malicious_savedmodel/
# Output: "No issues found!"

# Load the model - writes files
python3 -c "
import tensorflow as tf
model = tf.saved_model.load('malicious_savedmodel')
"
# Check: /tmp/pwned_savedmodel.data-00000-of-00001 now exists

# Or run the full PoC:
python3 create_v2_bypass.py

Bypassed Operations

ModelScan only detects ReadFile and WriteFile. These 12 dangerous ops are NOT detected: SaveV2, Save, MergeV2Checkpoints, RestoreV2, Restore, InitializeTableFromTextFileV2, MatchingFiles, Abort, PrintV2, CreateSummaryFileWriter, DecodeBase64, FileSystemSetConfiguration

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support