YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Tensorizer Metadata/Runtime Shape Authority Gap β PoC
Vulnerability Summary
Tensorizer (CoreWeave) .tensors format stores tensor shape in two independent binary locations:
- File-level metadata section β a separate encoded blob at the start of the file
- Per-tensor header β stored alongside each tensor's data
The runtime loader (_copy_thread in serialization.py) uses per-tensor header shape to materialize tensors via _NumpyTensor.from_buffer(..., header.shape, mv). It validates that data_length values are consistent, but does not cross-validate that metadata.shape == header.shape.
A crafted .tensors file can have metadata shape (1, 1) while the per-tensor header (and thus the runtime tensor) has shape (100, 100), with the data_length field kept consistent so the load assertion passes silently.
Hash verification (verify_hash=True) does not detect this mutation because the metadata section is not covered by any per-tensor hash.
Files
| File | Description |
|---|---|
baseline.tensors |
Valid Tensorizer v1 file, weight tensor shape (100, 100) |
mutant_metadata_shape_only.tensors |
Mutant: metadata shape changed to (1, 1), per-tensor header unchanged |
reproduce.py |
Pure Python reproducer β no torch/tensorizer install required |
expected_output.txt |
Expected output from reproduce.py |
SHA256SUMS.txt |
SHA-256 checksums |
Reproduction
python3 reproduce.py
Requires: Python 3.8+. reproduce.py is self-contained (no torch/tensorizer install required).
Additional verification using actual TensorDeserializer (tensorizer==2.12.1, torch==2.0.1, numpy==1.26.4) confirmed the same gap at the runtime loader level: TensorDeserializer['weight'].shape returns (100, 100) while TensorDeserializer._metadata['weight'].shape is (1, 1), with no exception and verify_hash=True returning no detection.
Expected Result
metadata shape (inspection): (1, 1)
per-tensor shape (runtime): (100, 100)
data_length consistent: True
shapes differ: True
load assert passes: True
GAP_CONFIRMED: True
RESULT: T0_CONFIRMED_INSPECTION_RUNTIME_GAP
Technical Details
- Tensorizer version: 2.12.1
- File format version: 1 (NON_OPAQUE_TENSORIZER_VERSION)
- Root:
_copy_threadinserialization.pyβassertchecksdata_lengthonly - Source reference:
coreweave/tensorizerv2.12.1
Non-Claims
- No arbitrary code execution (ACE/RCE)
- No native crash or memory corruption
- No ASAN/UBSAN finding
- No confirmed scanner bypass
- No confirmed inference output manipulation