You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

Tensorizer Metadata/Runtime Shape Authority Gap β€” PoC

Vulnerability Summary

Tensorizer (CoreWeave) .tensors format stores tensor shape in two independent binary locations:

  1. File-level metadata section β€” a separate encoded blob at the start of the file
  2. Per-tensor header β€” stored alongside each tensor's data

The runtime loader (_copy_thread in serialization.py) uses per-tensor header shape to materialize tensors via _NumpyTensor.from_buffer(..., header.shape, mv). It validates that data_length values are consistent, but does not cross-validate that metadata.shape == header.shape.

A crafted .tensors file can have metadata shape (1, 1) while the per-tensor header (and thus the runtime tensor) has shape (100, 100), with the data_length field kept consistent so the load assertion passes silently.

Hash verification (verify_hash=True) does not detect this mutation because the metadata section is not covered by any per-tensor hash.

Files

File Description
baseline.tensors Valid Tensorizer v1 file, weight tensor shape (100, 100)
mutant_metadata_shape_only.tensors Mutant: metadata shape changed to (1, 1), per-tensor header unchanged
reproduce.py Pure Python reproducer β€” no torch/tensorizer install required
expected_output.txt Expected output from reproduce.py
SHA256SUMS.txt SHA-256 checksums

Reproduction

python3 reproduce.py

Requires: Python 3.8+. reproduce.py is self-contained (no torch/tensorizer install required).

Additional verification using actual TensorDeserializer (tensorizer==2.12.1, torch==2.0.1, numpy==1.26.4) confirmed the same gap at the runtime loader level: TensorDeserializer['weight'].shape returns (100, 100) while TensorDeserializer._metadata['weight'].shape is (1, 1), with no exception and verify_hash=True returning no detection.

Expected Result

metadata shape (inspection):  (1, 1)
per-tensor shape (runtime):   (100, 100)
data_length consistent:       True
shapes differ:                True
load assert passes:           True
GAP_CONFIRMED:                True
RESULT: T0_CONFIRMED_INSPECTION_RUNTIME_GAP

Technical Details

  • Tensorizer version: 2.12.1
  • File format version: 1 (NON_OPAQUE_TENSORIZER_VERSION)
  • Root: _copy_thread in serialization.py β€” assert checks data_length only
  • Source reference: coreweave/tensorizer v2.12.1

Non-Claims

  • No arbitrary code execution (ACE/RCE)
  • No native crash or memory corruption
  • No ASAN/UBSAN finding
  • No confirmed scanner bypass
  • No confirmed inference output manipulation
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support