loowr

/

gguf-poc

like 1

This is a legitimate security research proof-of-concept demonstrating a missing bounds check bug in llama.cpp's Python GGUF reader. The file is a 44-byte crafted GGUF header -- not malware, not illegal content. It exploits an integer validation gap in gguf-py where the Python parser doesn't enforce the same bounds the C++ parser does (GGUF_MAX_STRING_LENGTH, GGUF_MAX_ARRAY_ELEMENTS). The repo is clearly tagged 'security poc dos' with a full README explaining the vulnerability, affected code, reproduction steps, and proposed fix. This is standard vulnerability disclosure practice. Nothing here is illegal or restricted under Hugging Face content policy.

My mistake.

There is a lot of malicious space takeovers and hidden malware payloads. I reported this based on what I perceived as a possible threat, without verifying any of your attributions and transparency, your target bounds and disclosures.

I will do better.