coremltools MILBlob Span::Slice integer-overflow β Core ML PoC model
Security-research proof-of-concept for a huntr Model-File-Vulnerability report against
coremltools (Apple). This repository exists only to host the malicious model file for
reviewer reproduction. The model is harmless to store; it triggers an unhandled
exception (uncontrolled allocation / DoS) when its weights are parsed by a
weight-touching coremltools API.
- Affected:
coremltools==9.0(PyPI latest 2026-06-20); GitHubmainHEADcac0e43df846b16558fc478d49420f95ea90203f. - Class: CWE-190 integer overflow defeating a bounds check (
Span::Slice) β CWE-789 uncontrolled allocation (DoS). - File format: Core ML
.mlpackageMIL weight-storage blob.
Files
coreml_evil_mlpackage.zipβ the malicious.mlpackage(only the weight blob'ssizeInBytesfield is corrupted;model.mlmodelis byte-identical to a clean model).
Reproduce
pip install coremltools==9.0
unzip coreml_evil_mlpackage.zip
python - <<'PY'
import coremltools as ct
from coremltools.optimize.coreml import get_weights_metadata
mdl = ct.models.MLModel("coreml_evil.mlpackage", skip_model_load=True)
get_weights_metadata(mdl) # -> ValueError: array is too big (Span::Slice bounds check bypassed)
PY
A clean model returns weight metadata normally. A plain-oversize sizeInBytes (no integer
overflow) is correctly rejected with ValueError: index out of bounds. Only the
wrap-around input (offset + sizeInBytes β‘ 0 mod 2^64) bypasses the check at
mlmodel/src/MILBlob/Util/Span.hpp:325.
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support