Safetensors Rules

Detects malformed safetensors headers, suspicious tensor metadata, and missing integrity controls.

Definition

The Safetensors rule family turns findings on this surface into actionable records with rule ID, severity, CWE, OWASP LLM mapping, owner, release decision, and retest command.

Safetensors removes code execution from model weights, but malformed headers and unverified files can still cause denial of service or model integrity failures.

Canonical help URL

Supported inputs

.safetensors

Typical attack scenarios

A huge header exhausts memory during model intake.
Tensor shape metadata does not match actual byte ranges.
A registry serves a replaced file without a hash check.

Detection logic

Sentinel ties Safetensors evidence to reproducible signals such as file path, metadata, opcode, AST node, manifest field, dependency, or archive entry. The same signal should disappear when the finding is closed.

Triage

Do not read Safetensors findings as scanner noise. Verify the evidence first, map the finding to a severity-based release decision, and then produce closure evidence with the same Sentinel command.

Operational checklist

Source: where did the file, manifest, prompt, archive, or dependency come from?
Impact: code execution, data leakage, supply chain, or resource consumption?
Control: allowlist, hash, sandbox, egress policy, or secret rotation?
Evidence: does the same rule category return clean after the fix?

Remediation

Remediation should change the risk boundary, not merely silence the finding: remove executable formats, pin source or hash, narrow tool permissions, rotate secrets, or add runtime sandboxing.

CI policy

sentinel-policy.yml

category: SAFETENSORS
fail_on:
  - CRITICAL
  - HIGH
ticket_on:
  - MEDIUM
retest: "sentinel artifact ./models/ --rule SAFETENSORS"

Rule index

Rule ID	Severity	Title	CWE	Fix Hint
SAFETENSORS-HEADER-OVERFLOW	HIGH	Oversized Safetensors Header	CWE-400 CWE-770	Keep safetensors headers small and predictable.
SAFETENSORS-DTYPE-SHAPE-MISMATCH	MEDIUM	Tensor Shape and Byte Range Mismatch	CWE-20	Validate tensor byte ranges before loading.
SAFETENSORS-MISSING-HASH	LOW	Missing Safetensors Integrity Hash	CWE-345	Hash and sign safetensors artifacts.

SAFETENSORS-HEADER-OVERFLOW — Oversized Safetensors Header

HIGH

Rule ID	SAFETENSORS-HEADER-OVERFLOW
Category	SAFETENSORS
Severity	HIGH
CWE	CWE-400 CWE-770
OWASP LLM	LLM10 — Unbounded Consumption
FP Risk	LOW
Owner	AI/ML platform or model release owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Detects headers with abnormal length, deeply nested metadata, or tensor maps large enough to exhaust scanner or loader memory.

Why it matters

Safetensors removes code execution from model weights, but malformed headers and unverified files can still cause denial of service or model integrity failures.

When it fires

Sentinel fires this rule in the Safetensors category when it sees header length exceeds policy or parsed tensor metadata grows beyond configured scan limits.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Header length exceeds policy or parsed tensor metadata grows beyond configured scan limits.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is low. If evidence points directly to a file, opcode, secret pattern, path, or manifest field, treat it as real and require closure evidence.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: Header length exceeds policy or parsed tensor metadata grows beyond configured scan limits.
Closure: sentinel artifact ./models/ --rule SAFETENSORS must return clean output.

How to fix

Reject the artifact, re-export from a trusted toolchain, and set strict max-header limits in CI.

CLI

sentinel artifact ./models/ --rule SAFETENSORS

Policy example

sentinel-policy.yml

rules:
  SAFETENSORS-HEADER-OVERFLOW:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule SAFETENSORS"

Expected output

SAFETENSORS-HEADER-OVERFLOW HIGH
Oversized Safetensors Header
Keep safetensors headers small and predictable.

Example

Bad

{
  "weight": { "dtype": "F32", "shape": [999999999, 999999999], "data_offsets": [0, 8] }
}

Good

{
  "weight": { "dtype": "F32", "shape": [2, 2], "data_offsets": [0, 16] },
  "__metadata__": { "sha256": "..." }
}

Related rules

SAFETENSORS-DTYPE-SHAPE-MISMATCH: Tensor Shape and Byte Range Mismatch
SAFETENSORS-MISSING-HASH: Missing Safetensors Integrity Hash

SAFETENSORS-DTYPE-SHAPE-MISMATCH — Tensor Shape and Byte Range Mismatch

MEDIUM

Rule ID	SAFETENSORS-DTYPE-SHAPE-MISMATCH
Category	SAFETENSORS
Severity	MEDIUM
CWE	CWE-20
OWASP LLM	LLM03 — Supply Chain
FP Risk	LOW
Owner	AI/ML platform or model release owner
Release decision	Assign an owner, fix within the sprint, and attach the retest command to the issue.

Description

Flags tensor metadata where dtype, shape, and data_offsets do not describe the actual file layout.

Why it matters

Safetensors removes code execution from model weights, but malformed headers and unverified files can still cause denial of service or model integrity failures.

When it fires

Sentinel fires this rule in the Safetensors category when it sees calculated tensor byte length differs from the declared offset range.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Calculated tensor byte length differs from the declared offset range.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is low. If evidence points directly to a file, opcode, secret pattern, path, or manifest field, treat it as real and require closure evidence.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Assign an owner, fix within the sprint, and attach the retest command to the issue.
Evidence: Calculated tensor byte length differs from the declared offset range.
Closure: sentinel artifact ./models/ --rule SAFETENSORS must return clean output.

How to fix

Re-export the tensor file and block manually edited safetensors metadata.

CLI

sentinel artifact ./models/ --rule SAFETENSORS

Policy example

sentinel-policy.yml

rules:
  SAFETENSORS-DTYPE-SHAPE-MISMATCH:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule SAFETENSORS"

Expected output

SAFETENSORS-DTYPE-SHAPE-MISMATCH MEDIUM
Tensor Shape and Byte Range Mismatch
Validate tensor byte ranges before loading.

Example

Bad

{
  "weight": { "dtype": "F32", "shape": [999999999, 999999999], "data_offsets": [0, 8] }
}

Good

{
  "weight": { "dtype": "F32", "shape": [2, 2], "data_offsets": [0, 16] },
  "__metadata__": { "sha256": "..." }
}

Related rules

SAFETENSORS-HEADER-OVERFLOW: Oversized Safetensors Header
SAFETENSORS-MISSING-HASH: Missing Safetensors Integrity Hash

SAFETENSORS-MISSING-HASH — Missing Safetensors Integrity Hash

LOW

Rule ID	SAFETENSORS-MISSING-HASH
Category	SAFETENSORS
Severity	LOW
CWE	CWE-345
OWASP LLM	LLM03 — Supply Chain
FP Risk	MEDIUM
Owner	AI/ML platform or model release owner
Release decision	Plan as hygiene work; raise policy strictness if the same pattern grows.

Description

Reports safetensors files without a release manifest, checksum, or model-card integrity reference.

Why it matters

Safetensors removes code execution from model weights, but malformed headers and unverified files can still cause denial of service or model integrity failures.

When it fires

Sentinel fires this rule in the Safetensors category when it sees no sha256 entry in local manifest, model card, or ci artifact metadata.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

No sha256 entry in local manifest, model card, or CI artifact metadata.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Plan as hygiene work; raise policy strictness if the same pattern grows.
Evidence: No sha256 entry in local manifest, model card, or CI artifact metadata.
Closure: sentinel artifact ./models/ --rule SAFETENSORS must return clean output.

How to fix

Publish checksums and verify them during model download and deployment.

CLI

sentinel artifact ./models/ --rule SAFETENSORS

Policy example

sentinel-policy.yml

rules:
  SAFETENSORS-MISSING-HASH:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule SAFETENSORS"

Expected output

SAFETENSORS-MISSING-HASH LOW
Missing Safetensors Integrity Hash
Hash and sign safetensors artifacts.

Example

Bad

{
  "weight": { "dtype": "F32", "shape": [999999999, 999999999], "data_offsets": [0, 8] }
}

Good

{
  "weight": { "dtype": "F32", "shape": [2, 2], "data_offsets": [0, 16] },
  "__metadata__": { "sha256": "..." }
}

Related rules

SAFETENSORS-HEADER-OVERFLOW: Oversized Safetensors Header
SAFETENSORS-DTYPE-SHAPE-MISMATCH: Tensor Shape and Byte Range Mismatch

References

PreviousONNX NextGGUF