# llama.cpp Jinja2 Template Parser Stack Overflow PoC ## Vulnerability **Type:** Stack Overflow via Uncontrolled Recursion (CWE-674) **Location:** `common/jinja/parser.cpp` — recursive descent parser with no depth limit **Severity:** Medium (CVSS 5.5) — DoS via crafted GGUF model file **Tested:** llama.cpp commit c5ce4bc (2026-04-08) ## Root Cause The Jinja2 template parser uses recursive descent with NO recursion depth limit. A GGUF file with ~5,500+ levels of nested `{% if %}` blocks in `tokenizer.chat_template` causes SIGSEGV (stack overflow) when any llama.cpp application loads the model. ## Crash Output ``` Depth 5000: Parser completed (OK) Depth 5500: core dumped (SIGSEGV!) Depth 10000: core dumped (SIGSEGV!) ``` ## Files - `poc_parser_stackoverflow.gguf` — Crafted GGUF with 50,000 nested if-blocks (~1.2 MB) - `poc_recursive_macro.gguf` — Recursive macro that crashes at runtime (244 bytes) - `poc_range_oom.gguf` — Unbounded range() causing OOM (203 bytes) - `create_poc_jinja.py` — Generator script for all PoC variants ## Reproduction ```bash # Build llama.cpp, then: llama-server -m poc_parser_stackoverflow.gguf # Result: Segmentation fault (core dumped) ``` ## Suggested Fix Add `MAX_PARSE_DEPTH` counter to recursive descent functions in parser.cpp. **License:** MIT | **Researcher:** neimasilk | **Disclosure:** huntr.com