Model Scanner Release Notes¶
Overview¶
We are excited to announce the latest release of HiddenLayer’s Model Scanner as part of our continued commitment to providing the industry’s most advanced AI security solution. This latest update introduces a new feature, along with enhancements, that offers an even more robust, intuitive, and effective cybersecurity for your AI experience.
The Model Scanner analyzes Machine Learning Models (ML Models) to identify hidden cybersecurity risks and threats, such as malware, vulnerabilities, and integrity issues.
See the HiddenLayer Model Scanner Deployment Guide for detailed instructions on deployment options, installation, and testing the model scanner.
Model Scanner Enterprise version 25.6.0¶
Release Notes for Model Scanner Enterprise v25.6.0 release on June 26, 2025.
What’s New¶
Hybrid Deployment for Self-Hosted API¶
-
The Model Scanner Self-Hosted API (formerly Model Scanner Enterprise) can be deployed in Hybrid Mode.
- Hybrid Mode sends Model Scanner results to the AISec Platform and is visible in the Console.
-
Scan Source in Model Scan Details
-
Model Scan details now include information about the Origin and the Request Source.
- Origin: The source of the model file. Examples: Hugging Face, internal repository, or Local file system.
- Request Source: How the scan request was initiated. Example: UI upload.
-
What’s Resolved¶
- This release also includes bug fixes and performance improvements.
Model Scanner Enterprise version 25.5.0¶
Release Notes for Model Scanner Enterprise v25.5.0 release on May 20, 2025.
What’s New¶
AI Bill of Materials (AIBOM)¶
- Designed to address critical challenges in AI supply chain security.
- AIBOM provides an inventory of AI artifacts for every scanned model in an industry-standard SBOM format, empowering security and data science teams to track AI components, vulnerabilities, and ensure compliance with regulatory standards.
- Available in SaaS, Model Scanner CLI, and Model Scanner Self-hosted (CLI+Orchestrator).
- Includes coverage for pyrepl, venv, and ultralytics functions, which can be used to execute malicious code.
Model Scanner CLI Hugging Face Repository URL¶
- Model Scanner CLI now accepts a Hugging Face repository URL and token for access to private or gated repositories.
- Files in the repo are automatically downloaded and scanned.
Installation for Non-Admin Users¶
-
For users who do not have admin access to the Kubernetes cluster, HiddenLayer provides an option to install with a lower privilege user into an existing namespace.
- See the Model Scanner API Deployment Guide for more information.
Previous Releases¶
Model Scanner Enterprise v3 version 25.4.0¶
Release Notes for Model Scanner Enterprise v3 v25.4.0 released on April 24, 2025.
What’s Improved¶
Detection Updates¶
-
Pickle File Format detections are now classified as Critical.
- Added coverage for
pyrepl,venv, andultralyticsfunctions, which can be used to execute malicious code.
- Added coverage for
-
Coverage for new Control Vector attacker technique under the Model Backdooring category.
- Inserted control vectors can control or modify model behavior as well as can be used to remove refusals on a secured model.
-
Keras File Format
- Added detection for CVE-2025-1550, a vulnerability in Keras that allows attackers to execute arbitrary code during model loading, even when safe_mode=True. This exploit leverages the deserialization process of .keras model archives, specifically targeting the
config.jsonfile within the archive.
- Added detection for CVE-2025-1550, a vulnerability in Keras that allows attackers to execute arbitrary code during model loading, even when safe_mode=True. This exploit leverages the deserialization process of .keras model archives, specifically targeting the
Model Scanner Enterprise v3 version 25.3.0¶
Release Notes for Model Scanner Enterprise v3 v25.3.0 released on March 26, 2025.
What’s New¶
Model Scanner V3 Output¶
- Model Scanner outputs the V3 schema format by default.
{% admonition type="info" name="V2 Schema" %} The v2 schema output is no longer supported.
Community Scan¶
- You can now scan a model directly from a public repository on Hugging Face by specifying the repo URL.
- HiddenLayer will automatically download and scan the model.
{% admonition type="info" name="Private or Gated Hugging Face Repositories" %} Private or gated Hugging Face repositories are not supported at this time.
New Detections¶
- Repository Sideloading: Detects instructions in the config.json file to load code or model artifacts from a location that bypasses checks performed on the artifacts in the repository.
- Pickle File Format: New rules detect risks specific to serialized .pkl files.
- Graph Payload: Introduced three new detection rules targeting this attack technique.
What’s Improved¶
Severity Level Updates¶
-
Arbitrary Code Execution detections are now classified as Critical.
- Why this matters: Arbitrary code execution (ACE) attacks are relatively easy to perform and can lead to serious consequences, such as executing malicious code within organizational systems. When a scan identifies a malicious file, it’s treated as a Critical vulnerability, indicating potential intent to load it—creating a risk of remote code execution (RCE).
- Recommended Action: Avoid using any model flagged for ACE to mitigate security risks.
-
Additional detection severity reclassifications have been made to align with the HiddenLayer Vulnerability Risk Taxonomy. Also see the Model Scanner Detection Categories article.
- Embedded Payload: Medium → Low
- Suspicious Functions: Medium → High
- Suspicious File Format: Low → Medium
CLI Detection Output Updates¶
-
The risk field has been removed from the Model Scanner CLI output. Use the severity field to assess organizational risk.
- Updated
schema_version: 3.2.0
- Updated
Enterprise Architecture Update¶
- Self-Hosted Model Scanner Enterprise V3 now supports Azure and AWS deployments.
{% admonition type="info" name="V2 Model Scanner Enterprise" %} The v2 Model Scanner Enterprise architecture (which bundled API and Worker in a single distro-enterprise-modelscanner image) is no longer supported.
Action Required: Upgrade to the V3 architecture for continued support and enhancements.
Model Scanner Enterprise v3 version 25.2.0¶
Release Notes for Model Scanner Enterprise v3 v25.2.0 released on February 19, 2025.
What’s New¶
Self-Hosted Enterprise V3 - Now Supports Azure¶
In addition to AWS, you can now install Model Scanner Self-Hosted Enterprise V3 on Azure using our easy-to-use installer.
Console UI Improvements¶
Detections All - Model Scanner
- New Filters – Quickly sort and prioritize detections with filters for Date and Scanner Versions
Model Inventory Enhancements
- Model Deletion – You can now delete model cards from the inventory.
Fewer Unsupported File Status Errors¶
Model Scanner now recognizes but does not scan the following common file types:
- Documentation:
.md(READMEs, release notes) - Code Files:
.py(scripts),.js(optional),.sh(shell scripts) - Config/Metadata:
.json,.yaml,.yml,.ini,.cfg - Data Files:
.txt,.csv,.tsv - Git Config Files:
.gitignore,.gitattributes
What’s Improved¶
Performance Optimizations¶
Memory usage has been optimized for all file types by eliminating MD5, SHA1, and TLSH hash calculations.
Detection Updates¶
Expanded tar file detection – Now applies Zip Slip vulnerability checks to all files typed as tar.
Model Scanner v25.1.1¶
What’s Improved¶
SARIF Output¶
Updated the SARIF output to work with the Model Scanner version 3 schema.
Model Scanner v25.1.0¶
Release Notes for the latest Model Scanner v25.1.0 released on February 6, 2025.
What’s New¶
Detections All - Console¶
A Detections All view for Model Scanner in the Console UI.
What’s Improved¶
Performance Optimization¶
- Memory usage for Skops file scanning has been reduced from 10x to 0.03x the file size, resulting in a 250x improvement in efficiency.
- Memory usage for NumPy file scanning has been reduced from 1x to 0.023x the file size, resulting in a 61x improvement in efficiency.
- The throughput for PyTorch and NeMo file scanning has increased by 2x.
Detection Updates¶
Improved detection accuracy for zip-type files, whether they contain random files or specific model types that use zip or tar as a container format (e.g., PyTorch, NeMo, Skops, NumPy, Keras, TensorFlow, or SafeTensors).
Model Scanner v24.12.0¶
Release Notes for the latest Model Scanner v24.12.0 released on December 17, 2024.
What’s New¶
Model Scanner License¶
HiddenLayer now provides a Model Scanner license.
Model Scanner Hybrid Deployment¶
A Model Scanner hybrid deployment where the user can run the Model Scanner CLI in their environment while still enjoying the benefits viewing the results in a user-friendly interface, the AISec Platform Console.
Skops Files¶
- Model Scanner can scan and detect vulnerabilities in Skops files.
- The Skops file type (.skops) is SciKit Learn’s recommended secure file format.
FIPS-Compliant¶
Model Scanner container images are now FIPS-compliant, ensuring compatibility with systems adhering to Federal Information Processing Standards (FIPS) requirements
Model Scanner Output - Version 3¶
The default output format of the Model Scanner CLI is version 3. To preserve the version 2 output format, use --output-format v2 in the CLI command.
What's Improved¶
ONNX¶
Improved memory usage for ONNX.
Default Output Format¶
Updated the default output format in the Model Scanner CLI to v3.
Pickle¶
Added coverage for numpy.f2py.diagnose.run_command.
Model Scanner v24.10.3¶
Release Notes for the latest Model Scanner v24.10.3 released on November 26, 2024.
What’s Improved¶
Detection Updates¶
Pickle: Updated rules to reduce false positives.
Model Scanner v24.10.2¶
Release Notes for the latest Model Scanner v24.10.2 released on November 6, 2024.
What’s Improved¶
Improved handling of multi-file archives¶
- ZIP files are now uncompressed and scanned up to three levels deep. Detection details for each file within the zip archive are accessible in the SaaS UI or via the v3 output in the Model Scanner CLI, allowing users to explore detailed results.
- If the archive file is in a supported format, such as PyTorch, it is uncompressed and scanned, and all relevant details and detections are reported at the main file level.
What’s Resolved¶
- Resolved an issue where files were incorrectly flagged with detections meant for other file types. Detections are now accurately matched to the correct file types, reducing false positives.
- This release also includes bug fixes.
Model Scanner v24.10.1¶
Release Notes for the latest Model Scanner v24.10.1 released on October 24, 2024.
What’s New¶
ONNX Detections¶
Detections for suspicious payloads and potential backdoors in ONNX computational graphs. These detections are based on insights from a ShadowLogic blog post.
What’s Improved¶
Pickle Format¶
Improved Pickle format introspection and detection accuracy.
What's Resolved¶
This release also includes bug fixes.
Model Scanner v24.10.0¶
Release Notes for the latest Model Scanner v24.10.0 released on October 15, 2024.
What’s New¶
ONNX Detections¶
Adding two CVE’s and two non-CVE’s. The two added CVE’s are:
- CVE-2022-24882
- CVE-2024-27319
- Two new Directory Traversal detections.
What’s Resolved¶
This release also includes bug fixes.
Model Scanner v24.9.1¶
Release Notes for the latest Model Scanner v24.9.1 released on September 30, 2024.
What’s New¶
Detection Risk Context¶
Each detection now includes enhanced risk information, such as:
- Detection Category: Identifies a detected adversarial technique, can help classify and understand the nature of the threat
- Severity: Critical, High, Medium, or Low
- MITRE Atlas: Technique and tactic mapping
- OWASP: Top 10 ML/LLM mapping
- CVE Number: (if applicable)
This additional context helps you understand the potential risks associated with each detection.
Detection Updates - New Detections for Pickle¶
New detections have been added for three additional functions that could be exploited to execute arbitrary code.
Model Scanner v24.9.0¶
Release Notes for the latest Model Scanner v24.9.0 released on September 17, 2024.
What’s New¶
Detection Risk Content for Unsafe Models¶
Expand the usage of the SARIF format to help users understand and analyze model scanner results.
What’s Improved¶
GGUF Memory Improvements¶
Improved memory usage when scanning GGUF files.
Model Scanner v24.8.0¶
Release Notes for the latest Model Scanner v24.8.0 released on August 20, 2024.
What’s New¶
GCP Self-Hosted Deployment¶
Self-Hosted deployment for the Google Cloud Platform (GCP).
SARIF Format Output¶
Translate API v2 output to the Static Analysis Results Interchange Format (SARIF) format, a standard format for the output of static analysis tools.
Model Scanner v24.7.0¶
Release Notes for the latest Model Scanner v24.7.0 released on July 23, 2024.
What’s New¶
Redis TLS Connection¶
The Self-Hosted Enterprise Model Scanner now supports a Redis TLS connection using a TLS certificate when connecting an existing Redis instance to the Model Scanner. This allows you to maintain adherence to your security protocols.
This is available for the Model Scanner Enterprise Self-Hosted.
GGUF Model¶
The Model Scanner supports the GGUF model format. GGUF is a binary format for distributing trained machine learning models.
Detection Updates¶
The Model Scanner now includes the following detections:
- GGUF - CVE-2024-23496: a heap-based buffer overflow vulnerability in the gguf_fread_str function of llama.cpp (commit 18c2e17) allows remote code execution through specially crafted GGUF files.
- GGUF - CVE-2024-34359: a weakness in Jinja2 that can lead to arbitrary code execution through malicious chat_template within a GGUF model file's metadata.
- ONNX - CVE-2024-27318: a path traversal vulnerability that can lead to arbitrary file read.
- Pickle: detections for four additional functions that can be used to execute code.
What’s Resolved¶
This release also includes performance improvements and bug fixes.
Model Scanner v24.6.1¶
Release Notes for the latest Model Scanner v24.6.1 released on June 27, 2024.
What’s Improved¶
Pickle Detection Rules¶
Enhanced the detections library for Pickle files.
What’s Resolved¶
This release also includes performance improvements and bug fixes.
Model Scanner v24.6.0¶
Release Notes for the latest Model Scanner v24.6.0 released on June 20, 2024.
What’s New¶
RDS Files and R Packages¶
This release includes the detection of arbitrary code execution in R Data Serialization (RDS) files and R packages when using the Model Scanner. R is a programming language used in data analysis for statistical computing and data visualization.
RDS files use binary and ASCII serialization options, which can also be plain (non-compressed) or compressed. Compressed files use these algorithms: bz (bzip2), xz (xz utils), and gz (gzip). The Model Scanner can read both the plain and compressed RDS files.
Unknown File Type¶
Unsupported File is a new file type response and status for the Model Scanner.
If the Model Scanner attempts to scan a file that is not supported, the file information is included in the Scan Complete message. This message includes the error type and the effected file.
What’s Resolved¶
ONNX Files¶
Improved scanning ONNX files.