Hugging Face's logo

01data-ai
/
safetensors_f003_f4_numpy_crash

Safetensors
huggingface
security
proof-of-concept
denial-of-service
numpy
f4
huntr
protectai
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

SafeTensors F003 F4 NumPy Load Crash

Payload repository for Huntr / ProtectAI triage.

Finding

F4 Dtype Load Crash in SafeTensors NumPy Path via Unguarded numpy.float4_e2m1fn_x2 Lookup.

Primary PoC Files

POC/f003_f4_tensor.safetensors

POC/f003_control_f32.safetensors

PoC SHA256 Values

F4 crash PoC:

9530e83a32f2344b6068a565f1895b6b498fc64fdb90b4e2086c1bf44373f41e

F32 control:

a6e9b066647b899114ca05b566daf1a9ac22e0d18b9cc8d9423c7539a26dc1cf

Proof Script

POC/f003_f4_numpy_crash.py

Confirmed Behavior

SafeTensors 0.8.0-dev.0 adds support for the F4 dtype represented as float4_e2m1fn_x2.

In the NumPy framework path, the Python binding attempts to resolve:

numpy.float4_e2m1fn_x2

In a standard NumPy environment without ml_dtypes, this attribute is not present.

Confirmed environment:

numpy_has_float4_e2m1fn_x2 = False
ml_dtypes_installed = False

The F4 tensor file fails through safe_open(..., framework="numpy"):

UNIQUE_MARKER_F003_F4_NUMPY_CRASH_CONFIRMED
exception_type = AttributeError
exception = module 'numpy' has no attribute 'float4_e2m1fn_x2'

The F32 control file loads successfully in the same environment:

UNIQUE_MARKER_F003_F32_CONTROL_CONFIRMED
f32 shape = (1,) dtype = float32 data = [42.0]
Impact

A minimal valid F4 .safetensors file can deterministically break SafeTensors NumPy-framework consumers in standard NumPy environments where ml_dtypes is not installed.

This may affect:

NumPy-based model ingestion pipelines
model scanning systems
model validation jobs
SafeTensors consumers using safe_open(..., framework="numpy")

This is not a code execution claim. The confirmed impact is a deterministic availability failure caused by unguarded dtype resolution.

Key Evidence Files
RAW_OUTPUT/F003_LIVE_PROOF_OUTPUT.txt
RAW_OUTPUT/f003_f4_tensor.hex.txt
RAW_OUTPUT/f003_control_f32.hex.txt
SOURCE/python_lib_rs_get_pydtype_lines_2110_2165.txt
SOURCE/python_lib_rs_Open_get_tensor_lines_800_850.txt
SOURCE/python_lib_rs_Torch_F4_halving_lines_930_955.txt
ENVIRONMENT.txt
F003_TRIAGE_SUMMARY.txt
SHA256SUMS.txt
Scope

Confirmed against:

Repository: huggingface/safetensors
Version: safetensors 0.8.0-dev.0
Commit: 73132135947275c5dda135438e4c2e4bd70a2b10
Component: bindings/python/src/lib.rs
Function: get_pydtype / Open::get_tensor / create_tensor

This repository intentionally contains only SafeTensors F003 F4 NumPy load crash artifacts.
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support