---
license: other
library_name: keras
tags:
- security
- proof-of-concept
- keras
- model-file-format
- gated-poc
---

# Keras Native `.keras` ZIP Expansion PoC

This repository is a gated proof-of-concept for a security report submitted through Huntr's model file format bounty process.

## Purpose

The PoC demonstrates that Keras Native `.keras` model loading can extract a compressed, unrequested archive asset to disk while loading with `safe_mode=True`.

## Tested Target

- Project: `keras-team/keras`
- Version observed by PoC: `3.15.0`
- Commit: `0172a2f5e42e227c120c65da5daef3ebbfaaf06d`
- Backend used for the local proof: `numpy`

## Files

- `keras_native_zip_expansion_poc.keras`: generated local PoC model file.
- `poc_keras_native_zip_expansion_dos.py`: local-only reproduction script.
- `local_reproduction_output_20260521.json`: proof output from a local run.

## Local Reproduction

```bash
KERAS_BACKEND=numpy python poc_keras_native_zip_expansion_dos.py --payload-mib 64
```

Expected markers:

```text
"safe_mode": true
"added_asset_uncompressed_size_bytes": 67108864
"relative_path": "assets/unrequested_padding.bin"
"finding": "REPRODUCED_KERAS_NATIVE_LOAD_MODEL_EXTRACTS_UNREQUESTED_COMPRESSED_ASSET"
```

## Boundary

This is a local-only proof. It does not contact Keras, Huntr, Hugging Face services during execution, cloud services, production systems, or external targets.

Access should remain gated and granted only to the reviewing party requested by Huntr.