metadata
license: mit
ModelScan Nested Keras Lambda Layer Detection Bypass — PoC
This repository contains a proof-of-concept .keras model file for a detection
bypass in protectai/modelscan (v0.8.6).
File
nested_lambda_poc.keras— a Keras model whose maliciousLambdalayer is nested inside an innerSequentialsub-model.
Behavior
- ModelScan 0.8.6 only inspects the top-level
config.layerslist, so it reports "No issues found" for this file. - An identical Lambda at the top level is correctly flagged as MEDIUM severity.
- The nested Lambda still executes arbitrary code at
keras.models.load_model()time.
This PoC is shared privately (gated, manual review) for vulnerability disclosure purposes only.