--- license: apache-2.0 tags: - security-research - tensorizer - model-file-vulnerability - huntr-mfv --- # Tensorizer Trigger Backdoor PoC This repository contains a benign security research proof of concept for a Tensorizer model-file vulnerability report. Files: - `control_tiny_classifier.tensors` - `malicious_tensorizer_trigger.tensors` - `reproduce.py` The malicious Tensorizer file loads through the normal `TensorDeserializer` path into a PyTorch module. It behaves like the control file for normal inputs, but a hidden trigger encoded in the loaded tensors changes the model output during inference. Tested runtime: - `tensorizer==2.12.1` - `torch==2.12.1+cu130` - trigger entrypoint: `TensorDeserializer(...).load_into_module(model); model(x)` Scanner result: - `modelscan==0.8.8` - result: `No issues found!` - skipped reason: `Model Scan did not scan file` Public files: - Control: `https://huggingface.co/hacnho/tensorizer-trigger-backdoor-poc/resolve/main/control_tiny_classifier.tensors` - Malicious: `https://huggingface.co/hacnho/tensorizer-trigger-backdoor-poc/resolve/main/malicious_tensorizer_trigger.tensors` - Reproducer: `https://huggingface.co/hacnho/tensorizer-trigger-backdoor-poc/resolve/main/reproduce.py` Reproduction: ```bash python -m venv /tmp/tensorizer-trigger-poc-venv . /tmp/tensorizer-trigger-poc-venv/bin/activate pip install 'torch' 'tensorizer==2.12.1' 'modelscan==0.8.8' curl -L -o control_tiny_classifier.tensors \ https://huggingface.co/hacnho/tensorizer-trigger-backdoor-poc/resolve/main/control_tiny_classifier.tensors curl -L -o malicious_tensorizer_trigger.tensors \ https://huggingface.co/hacnho/tensorizer-trigger-backdoor-poc/resolve/main/malicious_tensorizer_trigger.tensors curl -L -o reproduce.py \ https://huggingface.co/hacnho/tensorizer-trigger-backdoor-poc/resolve/main/reproduce.py python reproduce.py control_tiny_classifier.tensors malicious_tensorizer_trigger.tensors ``` Expected output: ```json "control_trigger": { "preds": [1, 1] } "malicious_trigger": { "preds": [1, 0] } "no_issues_found": true ``` The trigger row is `[2337.0, -2337.0]`. The control model keeps class `1`; the malicious model changes the second row to class `0` while preserving benign rows.