Gated security proof-of-concept
This repository is publicly accessible, but you have to accept the conditions to access its files and content.
This repository contains a coordinated-disclosure security proof-of-concept: a crafted Parquet thrift stream that demonstrates a memory-safety defect in the fastparquet thrift decoder (Cython). It contains no user data, no weaponized exploit, and no network activity. Access is restricted to the affected maintainers and the huntr / ProtectAI triage team for verification and remediation only.
Log in or Sign Up to review the conditions and access this model content.
fastparquet thrift decoder — crafted-file memory-safety PoC (gated)
This is a security research proof-of-concept for the huntr Model File Formats program
(format parquet). It contains a crafted Parquet thrift stream and harness that demonstrate a
heap out-of-bounds read in fastparquet’s Cython thrift path (cencoding.pyx read_thrift).
The payload only demonstrates the memory-safety defect (Valgrind invalid read / heap contents returned as thrift string bytes). There is no exploit weaponization, no user data, and no network callback.
- Class: heap out-of-bounds read (CWE-125)
- Affected: fastparquet (dask/fastparquet) Cython thrift decoder
- Disclosure: coordinated via huntr MFF
Full technical details, Valgrind logs, crafted file, and regenerator are in the gated files.
Contact: security researcher mrw0r57 (huntr: ssjcorpsec).