stealth
commented
8 months ago Yes, thx for the pointer. I meanwhile found some time to dig deeper into tf and got the same results. Keras has got a safe-mode for that. I will leave the issue open for the reference URL.
Nice idea to collect some techniques on model loading vulnerabilities.
In the README it currently states that TensorFlow is uncertain and might be using pickle in a safe way. But it turns out this is actually not safe at all, through lambda functions you can run arbitrary code when the model is loaded. See the detailed writeup here: https://splint.gitbook.io/cyberblog/security-research/tensorflow-remote-code-execution-with-malicious-model This makes
.h5files exploitable as well.