hacnho's picture
Upload README.md with huggingface_hub
4ea2da9 verified
|
Raw
History Blame Contribute Delete
749 Bytes
---
tags:
- security
- proof-of-concept
- msgpack
license: mit
---
# MessagePack array32 repeated-empty-string materialization DoS PoC
This repository contains a benign security research PoC for a `.msgpack`
artifact that drives large in-memory materialization during
`msgpack.unpackb(..., raw=False)`.
Files:
- `control_bin32_same_size.msgpack`
- `malicious_array32_empty_strings_20000000.msgpack`
- `reproduce.py`
Observed behavior:
- control artifact:
- parses successfully as one `bytes` object
- malicious artifact:
- same size as control
- parses successfully as a list of `20,000,000` empty strings
- materially increases peak RSS during normal unpack
Reproduction:
```bash
python3 build_poc.py
python3 reproduce.py
```