metadata
library_name: mlflow
tags:
- mlflow
- tensorspec
- model-file-vulnerability
- denial-of-service
MLflow TensorSpec Void Dtype Memory DoS PoC
This repository contains a minimal MLflow model bundle whose MLmodel signature
declares a TensorSpec input with dtype V250000000 and shape [-1].
The model itself is a benign echo model. The security issue is in MLflow's model
metadata parsing and schema enforcement: the attacker-controlled TensorSpec dtype
is accepted from MLmodel, then a one-byte pandas input value is converted into
a NumPy array with a 250,000,000-byte element before model code runs.
Run:
python reproduce_mlflow_tensorspec_void_dtype_dos.py mlflow_tensorspec_void_dtype_model
Expected result:
The output shows parsed_itemsize of 250000000 and
allocated_array_nbytes of 250000000 for a one-byte request value.