Update README.md

b5e8b8c verified 10 days ago

3.77 kB

	---
	tags:
	- huntr
	- protectai
	- triage
	- security-research
	license: other
	---

	# ProtectAI / Huntr PoC Repository Index

	This repository was originally used as a placeholder while `protectai-bot` could not be granted Hugging Face gated access.

	The workflow is now working again. Please use the finding-specific repositories below.

	---

	## ONNX — ONNX Runtime Tile Bomb

	Report: 111-byte ONNX Runtime Tile Bomb Bypasses `check_model()` and Kills Memory-Capped Inference Workers

	Model / PoC repo:
	https://huggingface.co/01data-ai/onnx_runtime_f002_tile_bomb

	---

	## ONNX — external_data Hash-DotDot Validator Bypass

	Report: ONNX `external_data` Validator Bypass Enables Same-Base File Ingestion via `#../` Path Normalization

	Model / PoC repo:
	https://huggingface.co/01data-ai/onnx_f003_hash_dotdot_validator_bypass

	---

	## Joblib — NDArrayWrapper Path Traversal

	Report: Joblib Model Load Path Traversal Reads External `.npy` Files via `NDArrayWrapper.filename`

	Model / PoC repo:
	https://huggingface.co/01data-ai/joblib_f002_path_traversal_poc

	---

	## Joblib — Compressed Loader DoS

	Report: Joblib Compressed Loader DoS via `BinaryZlibFile` `unused_data` Re-Feed OOM Loop

	Model / PoC repo:
	https://huggingface.co/01data-ai/joblib_f003_unused_data_oom_dos

	---

	## Joblib — Memmapping context_id Path Traversal

	Report: Joblib memmapping `context_id` Path Traversal Escapes Temp Root and Deletes Outside Directory

	Model / PoC repo:
	https://huggingface.co/01data-ai/joblib_f005_memmapping_context_traversal

	---

	## GGUF — Nested ARRAY Recursion DoS

	Report: Python GGUFReader Allows Deeply Nested ARRAY Metadata to Trigger `RecursionError` DoS

	Model / PoC repo:
	https://huggingface.co/01data-ai/gguf_py_f001_nested_array_recursion

	---

	## GGUF — uint64/int64 Count Divergence

	Report: Python GGUFReader Misinterprets Signed Header Counts as `uint64`, Causing Parser Divergence and Crash

	Model / PoC repo:
	https://huggingface.co/01data-ai/gguf_py_f002_uint64_int64_count_divergence

	---

	## GGUF — Tensor Offset Aliasing

	Report: Python GGUFReader Accepts Overlapping Tensor Offsets, Causing Silent Tensor Data Aliasing

	Model / PoC repo:
	https://huggingface.co/01data-ai/gguf_py_f004_tensor_offset_aliasing

	---

	## SafeTensors — Zero-Size Offset Bypass

	Report: Validation Invariant Bypass in `Metadata::validate()` Allows Zero-Size Tensor to Reuse a Data Offset

	Model / PoC repo:
	https://huggingface.co/01data-ai/safetensors_f002_zero_size_offset_bypass

	---

	## SafeTensors — F4 NumPy Crash

	Report: F4 Dtype Load Crash in SafeTensors NumPy Path via Unguarded `numpy.float4_e2m1fn_x2` Lookup

	Model / PoC repo:
	https://huggingface.co/01data-ai/safetensors_f003_f4_numpy_crash

	---

	## MLflow — loader_module Guard Bypass RCE

	Report: MLflow PyFunc `loader_module` Injection Executes Attacker Code Despite Pickle Deserialization Disabled

	Model / PoC repo:
	https://huggingface.co/01data-ai/mlflow_f002_loader_module_guard_bypass_rce

	---

	## MLflow — sklearn pickled_model Path Traversal RCE

	Report: MLflow sklearn `pickled_model` Path Traversal Enables Cloudpickle RCE via `load_model()`

	Model / PoC repo:
	https://huggingface.co/01data-ai/mlflow_f003_sklearn_pickled_model_path_traversal_rce

	---

	## MLflow — PyTorch pickle_module_info Pre-Guard RCE

	Report: MLflow PyTorch `pickle_module_info.txt` Module Injection Executes Code Before Pickle Guard

	Model / PoC repo:
	https://huggingface.co/01data-ai/mlflow_f005_pytorch_pickle_module_info_preguard_rce

	---

	## MLflow — PyTorch weights_only=False RCE

	Report: MLflow PyTorch Hardcodes `weights_only=False`, Re-Enabling Cloudpickle RCE on PyTorch 2.6+

	Model / PoC repo:
	https://huggingface.co/01data-ai/mlflow_f006_pytorch_weights_only_false_rce