Hugging Face's logo

hacnho
/
scipy-sparse-npz-indptr-crash

security
proof-of-concept
huntr
model-file-vulnerability
scipy
sparse
npz
Model card Files
xet
 Community

SciPy sparse NPZ malformed CSR indptr crash PoC

This public repository contains a benign model-file vulnerability proof of concept for Huntr MFV triage.

Files

  • control_csr.npz: valid SciPy CSR sparse matrix saved with scipy.sparse.save_npz.
  • malicious_csr_indptr_huge_negative.npz: same logical NPZ structure, but indptr.npy is replaced with [0, 1, 2147483647, -1].
  • repro_scipy_sparse_npz.py: rebuilds and verifies both files through scipy.sparse.load_npz.

Expected behavior

Tested with:

  • Python: /usr/bin/python3
  • SciPy: 1.18.0
  • NumPy: 2.5.0

The control file loads, sums, and converts to dense successfully. The malicious file loads as a CSR matrix with nnz=-1; sum() hangs under the repro timeout, and toarray() terminates with SIGSEGV in SciPy's native csr_todense path.

Reproduction 

python3 -m pip install --user 'scipy==1.18.0' 'numpy==2.5.0'
python3 repro_scipy_sparse_npz.py --json

Expected summary:

control_csr.npz load rc=0
control_csr.npz sum rc=0
control_csr.npz toarray rc=0
malicious_csr_indptr_huge_negative.npz load rc=0
malicious_csr_indptr_huge_negative.npz sum rc=TIMEOUT
malicious_csr_indptr_huge_negative.npz toarray rc=-11

The PoC is intentionally tiny and non-exfiltrating. It demonstrates crash/CPU-hang behavior caused by malformed sparse-model metadata.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support