Gated security proof-of-concept

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

This repository contains a coordinated-disclosure security proof-of-concept: a crafted Parquet thrift stream that demonstrates a memory-safety defect in the fastparquet thrift decoder (Cython). It contains no user data, no weaponized exploit, and no network activity. Access is restricted to the affected maintainers and the huntr / ProtectAI triage team for verification and remediation only.

Log in or Sign Up to review the conditions and access this model content.

fastparquet thrift decoder — crafted-file memory-safety PoC (gated)

This is a security research proof-of-concept for the huntr Model File Formats program (format parquet). It contains a crafted Parquet thrift stream and harness that demonstrate a heap out-of-bounds read in fastparquet’s Cython thrift path (cencoding.pyx read_thrift).

The payload only demonstrates the memory-safety defect (Valgrind invalid read / heap contents returned as thrift string bytes). There is no exploit weaponization, no user data, and no network callback.

  • Class: heap out-of-bounds read (CWE-125)
  • Affected: fastparquet (dask/fastparquet) Cython thrift decoder
  • Disclosure: coordinated via huntr MFF

Full technical details, Valgrind logs, crafted file, and regenerator are in the gated files.

Contact: security researcher mrw0r57 (huntr: ssjcorpsec).

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support