Hugging Face's logo

neimasilk
/
llama-cpp-jinja-parser-stackoverflow-poc

GGUF
conversational
Model card Files
xet
 Community

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

llama.cpp Jinja2 Template Parser Stack Overflow PoC

Vulnerability

Type: Stack Overflow via Uncontrolled Recursion (CWE-674) Location: common/jinja/parser.cpp — recursive descent parser with no depth limit Severity: Medium (CVSS 5.5) — DoS via crafted GGUF model file Tested: llama.cpp commit c5ce4bc (2026-04-08)

Root Cause

The Jinja2 template parser uses recursive descent with NO recursion depth limit. A GGUF file with ~5,500+ levels of nested {% if %} blocks in tokenizer.chat_template causes SIGSEGV (stack overflow) when any llama.cpp application loads the model.

Crash Output 

Depth 5000: Parser completed (OK)
Depth 5500: core dumped (SIGSEGV!)
Depth 10000: core dumped (SIGSEGV!)

Files

  • poc_parser_stackoverflow.gguf — Crafted GGUF with 50,000 nested if-blocks (~1.2 MB)
  • poc_recursive_macro.gguf — Recursive macro that crashes at runtime (244 bytes)
  • poc_range_oom.gguf — Unbounded range() causing OOM (203 bytes)
  • create_poc_jinja.py — Generator script for all PoC variants

Reproduction 

# Build llama.cpp, then:
llama-server -m poc_parser_stackoverflow.gguf
# Result: Segmentation fault (core dumped)

Suggested Fix

Add MAX_PARSE_DEPTH counter to recursive descent functions in parser.cpp.

License: MIT | Researcher: neimasilk | Disclosure: huntr.com

Downloads last month
5
GGUF
Model size
0 params
Architecture
llama
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

View all variants
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support