You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

GGUF metadata array length parser DoS PoC

This repository contains a minimal safe proof of concept for a gguf-py availability issue.

The malicious sample is a 519-byte GGUF file whose tokenizer.ggml.scores metadata array length is set to 1073741824. gguf.GGUFReader() trusts that value as a Python loop bound before validating the remaining file size, causing the parser process to remain busy until it is externally terminated.

Files

  • baseline_metadata.gguf - benign baseline.
  • huge_scores_array_len.gguf - malicious GGUF sample.
  • trigger_gguf_read.py - minimal single-process trigger.
  • worker_pool_dos.py - local worker-pool exhaustion harness.
  • single_process_3x.txt - latest gguf==0.19.0 timeout evidence.
  • worker_pool_3x.txt - worker-pool evidence.
  • modelscan_result.json - ModelScan unsupported-format result.

Reproduce

python -m venv venv
venv\Scripts\python.exe -m pip install gguf==0.19.0
venv\Scripts\python.exe trigger_gguf_read.py huge_scores_array_len.gguf
venv\Scripts\python.exe worker_pool_dos.py --file huge_scores_array_len.gguf --workers 4 --timeout 5

Expected secure behavior: immediate parse rejection because the declared array length cannot fit in the remaining file bytes.

Actual behavior: parser workers remain alive until externally terminated.

No code execution, native memory corruption, credentials, private data, or production target interaction is included.

Downloads last month
-
GGUF
Model size
0 params
Architecture
llama
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support