YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Primary model files:
POC/f002_basic_zero_then_real.safetensors POC/f002_extended_multi_pair.safetensors POC/f002_control_nonzero_overlap_rejected.safetensors
The strongest proof set is all three: basic bypass, extended repeated bypass, and control rejection proving non-zero overlap is blocked while zero-size reuse is accepted. The report confirms SafeTensors 0.8.0-dev.0 at commit 73132135947275c5dda135438e4c2e4bd70a2b10 accepts zero-size/non-zero shared offsets, while rejecting non-zero/non-zero overlap.
Create this file as README.md:
library_name: safetensors tags: - safetensors - huggingface - security - proof-of-concept - input-validation - model-integrity - huntr - protectai license: other
SafeTensors F002 Zero-Size Offset Bypass
Payload repository for Huntr / ProtectAI triage.
Finding
Validation Invariant Bypass in SafeTensors Metadata::validate() Allows Zero-Size Tensor to Reuse a Data Offset.
Primary PoC Files
POC/f002_basic_zero_then_real.safetensors
POC/f002_extended_multi_pair.safetensors
POC/f002_control_nonzero_overlap_rejected.safetensors
PoC SHA256 Values
Basic zero-size tensor plus real tensor:
7801aa365bfbbfd53375f9186a2394948ea8eaf2c1e7d109789754fdbd5b2337
Extended multi-pair case:
0658268513c8ef72cb482d9c0ea9b8a03dff142524876d99c1c872293b719419
Control non-zero overlap rejected case:
e7b267cadceb89bc7bc1f9eb521ba596120b184f712c49fae540e5ce00a29b62
Proof Script
POC/f002_zero_size_offset_bypass.py
Confirmed Behavior
SafeTensors accepts a crafted file where a zero-size tensor and a non-zero tensor share the same start offset.
Basic accepted layout:
zero_size: data_offsets [0, 0]
real_f32: data_offsets [0, 4]
same_start_offset_accepted = True
Extended accepted layout:
zero1: data_offsets [0, 0]
real1: data_offsets [0, 8]
zero2: data_offsets [8, 8]
real2: data_offsets [8, 16]
pair1_same_start_offset_accepted = True
pair2_same_start_offset_accepted = True
Control rejection:
t0: data_offsets [0, 4]
t1: data_offsets [0, 4]
control_exception_type = SafetensorError
control_exception = Error while deserializing header: invalid offset for tensor `t1`
Impact
This demonstrates an input-validation / layout-invariant bypass in SafeTensors metadata validation.
A file accepted by safe_open(..., framework="numpy") can contain zero-size tensor entries that reuse the same start offset as later non-zero tensors. This may confuse scanners, auditors, offset-indexed caching, deduplication, delta-patching, or ingestion systems that assume accepted SafeTensors files have strictly monotonic, non-reused tensor start offsets.
This is not a code execution claim. The confirmed issue is validation integrity and downstream model-file layout confusion.
Key Evidence Files
RAW_OUTPUT/F002_LIVE_PROOF_OUTPUT.txt
RAW_OUTPUT/f002_basic_zero_then_real.hex.txt
RAW_OUTPUT/f002_extended_multi_pair.hex.txt
RAW_OUTPUT/f002_control_nonzero_overlap_rejected.hex.txt
SOURCE/tensor_rs_Metadata_validate_lines_610_660.txt
ENVIRONMENT.txt
F002_TRIAGE_SUMMARY.txt
SHA256SUMS.txt
Scope
Confirmed against:
Repository: huggingface/safetensors
Version: safetensors 0.8.0-dev.0
Commit: 73132135947275c5dda135438e4c2e4bd70a2b10
Component: safetensors/src/tensor.rs
Function: Metadata::validate
This repository intentionally contains only SafeTensors F002 zero-size offset bypass artifacts.