YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Flax serialization input-validation gaps PoC bundle
Coordinated-disclosure PoC for huntr.com Model File Formats - Flax program.
- Reporter: Tony Davis (huntr handle: lendtrain)
- Date: 2026-05-11
- Target: flax == 0.12.7 (PyPI latest)
- CWE: CWE-20 (Improper Input Validation) + CWE-22 (Path Traversal)
- CVSS: 6.5 Medium AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (DoS class)
Vulnerability summary
Two related input-validation gaps in flax checkpoint loaders:
Issue 1 (DoS): flax.serialization.from_bytes lacks input validation across _msgpack_ext_unpack, _ndarray_from_bytes, and _unchunk. At least 8 mutually-distinct unhandled exception classes (KeyError/IndexError/TypeError/ValueError) are raised on malformed msgpack checkpoints. Any ML model-serving process that calls from_bytes on user-supplied checkpoint bytes crashes deterministically.
Issue 2 (Path traversal): flax.training.checkpoints.restore_checkpoint with prefix='' and an attacker-influenced step value (documented type is int|float|None but no runtime check, no commonpath validation) reads files from outside ckpt_dir.
Files
poc1_keyerror_no_shape.msgpack...poc8_shape_string.msgpack- 8 distinct crash classespoc_runner.py- cycles through all 8 + writes sentinel
Reproduction
python3 -m venv /tmp/flax-venv
/tmp/flax-venv/bin/pip install flax==0.12.7
/tmp/flax-venv/bin/python poc_runner.py
Authorization
Coordinated-disclosure work for huntr. PoCs trigger only DoS / read a sentinel file - no destructive action, no third-party impact.