Skip to content

[BUG] Security Vulnerability #358

Description

@anandppatil

Describe the bug
Reporting a security vulnerability in ModelScan through private disclosure, in accordance with the repository's SECURITY.md.

Technical details are intentionally withheld from this public issue and will be provided privately to security@protectai.com.

To Reproduce
Withheld from this public issue. Full reproduction steps, scanner output, a self-contained generator, and a proof-of-concept model file will be provided privately.

Expected behavior
ModelScan should identify unsafe executable content embedded in a supported model format rather than reporting the model as containing no issues.

Further details are included in the private report.
Screenshots
N/A
Environment (please complete the following information):
OS: Windows — local validation environment
ModelScan version: 0.8.8
ML framework version: Keras 3.14.1
Model serialization format: Keras Native (.keras)

Additional context
GitHub handle: anandppatil4383
A private report referencing this issue has been sent to security@protectai.com.
Proof-of-concept material will not be published while coordinated disclosure is in progress.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions