GGUF metadata array length parser DoS PoC
This repository contains a minimal safe proof of concept for a gguf-py availability issue.
The malicious sample is a 519-byte GGUF file whose tokenizer.ggml.scores metadata array length is set to 1073741824. gguf.GGUFReader() trusts that value as a Python loop bound before validating the remaining file size, causing the parser process to remain busy until it is externally terminated.
Files
baseline_metadata.gguf- benign baseline.huge_scores_array_len.gguf- malicious GGUF sample.trigger_gguf_read.py- minimal single-process trigger.worker_pool_dos.py- local worker-pool exhaustion harness.single_process_3x.txt- latestgguf==0.19.0timeout evidence.worker_pool_3x.txt- worker-pool evidence.modelscan_result.json- ModelScan unsupported-format result.
Reproduce
python -m venv venv
venv\Scripts\python.exe -m pip install gguf==0.19.0
venv\Scripts\python.exe trigger_gguf_read.py huge_scores_array_len.gguf
venv\Scripts\python.exe worker_pool_dos.py --file huge_scores_array_len.gguf --workers 4 --timeout 5
Expected secure behavior: immediate parse rejection because the declared array length cannot fit in the remaining file bytes.
Actual behavior: parser workers remain alive until externally terminated.
No code execution, native memory corruption, credentials, private data, or production target interaction is included.
- Downloads last month
- -
We're not able to determine the quantization variants.