ProtectAI / Huntr PoC Repository Index
This repository was originally used as a placeholder while protectai-bot could not be granted Hugging Face gated access.
The workflow is now working again. Please use the finding-specific repositories below.
ONNX β ONNX Runtime Tile Bomb
Report: 111-byte ONNX Runtime Tile Bomb Bypasses check_model() and Kills Memory-Capped Inference Workers
Model / PoC repo:
https://huggingface.co/01data-ai/onnx_runtime_f002_tile_bomb
ONNX β external_data Hash-DotDot Validator Bypass
Report: ONNX external_data Validator Bypass Enables Same-Base File Ingestion via #../ Path Normalization
Model / PoC repo:
https://huggingface.co/01data-ai/onnx_f003_hash_dotdot_validator_bypass
Joblib β NDArrayWrapper Path Traversal
Report: Joblib Model Load Path Traversal Reads External .npy Files via NDArrayWrapper.filename
Model / PoC repo:
https://huggingface.co/01data-ai/joblib_f002_path_traversal_poc
Joblib β Compressed Loader DoS
Report: Joblib Compressed Loader DoS via BinaryZlibFile unused_data Re-Feed OOM Loop
Model / PoC repo:
https://huggingface.co/01data-ai/joblib_f003_unused_data_oom_dos
Joblib β Memmapping context_id Path Traversal
Report: Joblib memmapping context_id Path Traversal Escapes Temp Root and Deletes Outside Directory
Model / PoC repo:
https://huggingface.co/01data-ai/joblib_f005_memmapping_context_traversal
GGUF β Nested ARRAY Recursion DoS
Report: Python GGUFReader Allows Deeply Nested ARRAY Metadata to Trigger RecursionError DoS
Model / PoC repo:
https://huggingface.co/01data-ai/gguf_py_f001_nested_array_recursion
GGUF β uint64/int64 Count Divergence
Report: Python GGUFReader Misinterprets Signed Header Counts as uint64, Causing Parser Divergence and Crash
Model / PoC repo:
https://huggingface.co/01data-ai/gguf_py_f002_uint64_int64_count_divergence
GGUF β Tensor Offset Aliasing
Report: Python GGUFReader Accepts Overlapping Tensor Offsets, Causing Silent Tensor Data Aliasing
Model / PoC repo:
https://huggingface.co/01data-ai/gguf_py_f004_tensor_offset_aliasing
SafeTensors β Zero-Size Offset Bypass
Report: Validation Invariant Bypass in Metadata::validate() Allows Zero-Size Tensor to Reuse a Data Offset
Model / PoC repo:
https://huggingface.co/01data-ai/safetensors_f002_zero_size_offset_bypass
SafeTensors β F4 NumPy Crash
Report: F4 Dtype Load Crash in SafeTensors NumPy Path via Unguarded numpy.float4_e2m1fn_x2 Lookup
Model / PoC repo:
https://huggingface.co/01data-ai/safetensors_f003_f4_numpy_crash
MLflow β loader_module Guard Bypass RCE
Report: MLflow PyFunc loader_module Injection Executes Attacker Code Despite Pickle Deserialization Disabled
Model / PoC repo:
https://huggingface.co/01data-ai/mlflow_f002_loader_module_guard_bypass_rce
MLflow β sklearn pickled_model Path Traversal RCE
Report: MLflow sklearn pickled_model Path Traversal Enables Cloudpickle RCE via load_model()
Model / PoC repo:
https://huggingface.co/01data-ai/mlflow_f003_sklearn_pickled_model_path_traversal_rce
MLflow β PyTorch pickle_module_info Pre-Guard RCE
Report: MLflow PyTorch pickle_module_info.txt Module Injection Executes Code Before Pickle Guard
Model / PoC repo:
https://huggingface.co/01data-ai/mlflow_f005_pytorch_pickle_module_info_preguard_rce
MLflow β PyTorch weights_only=False RCE
Report: MLflow PyTorch Hardcodes weights_only=False, Re-Enabling Cloudpickle RCE on PyTorch 2.6+
Model / PoC repo:
https://huggingface.co/01data-ai/mlflow_f006_pytorch_weights_only_false_rce