Hugging Face's logo

paperboygold
/
gguf-nested-json-poc

GGUF
conversational
Model card Files
xet
Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning: empty or missing yaml metadata in repo card (https://huggingface.co/docs/hub/model-cards#model-card-metadata)

Denial of Service via Deeply Nested JSON in Jinja2 Template Context

Summary

A stack overflow vulnerability exists in llama.cpp's Jinja template value converter when processing deeply nested JSON data passed as template variables. This occurs because the global_from_json function in common/jinja/value.cpp (and its underlying from_json implementation) is recursive and does not have a depth limit when converting JSON objects to the internal jinja::value representation.

Vulnerability Details

  • Vulnerability Type: Stack Overflow (CWE-674: Uncontrolled Recursion)
  • Affected Component: common/jinja/value.cpp
  • Impact: Denial of Service (DoS) via application crash.

The crash occurs during the conversion of JSON data (e.g., from a tool call or message history) into the Jinja template context. If an attacker can provide a deeply nested JSON object, the recursive calls to from_json will exhaust the stack.

Reproduction

This repository contains a Proof of Concept (PoC) to demonstrate the vulnerability.

Prerequisites

  • llama.cpp built with llama-cli
  • g++ (for compiling the C++ reproduction script)
  • python3 (for generating the initial GGUF)

Steps

  1. Compile the Reproduction Script: The reproduce_crash.cpp file contains a standalone C++ program that links against llama.cpp's common library to directly trigger the vulnerable function.

    g++ reproduce_crash.cpp -o reproduce_crash \
    -I ../../../common -I ../../../vendor \
    -L ../../../build/common -lcommon \
    -L ../../../build/bin -lggml \
    -std=c++17

    (Note: Adjust paths to common, vendor, and build directories as necessary for your environment)

  2. Run the Exploit: Run the compiled executable. It will generate a JSON string with 200,000 levels of nesting and attempt to convert it using jinja::global_from_json.

    LD_LIBRARY_PATH=../../../build/bin ./reproduce_crash

  3. Observe the Crash: The application will crash with a segmentation fault due to stack exhaustion.

    Creating deeply nested JSON string (200000 levels)...
Parsing JSON string...
Initializing Jinja context and parsing template...
Triggering global_from_json (this should crash due to recursion)...
Segmentation fault (core dumped)

Mitigation

The vulnerability can be mitigated by implementing a recursion depth limit in global_from_json or the underlying from_json conversion logic in common/jinja/value.cpp. A reasonable limit (e.g., 100 levels) should be enforced to prevent stack exhaustion.

Downloads last month
-
GGUF
Model size
1B params
Architecture
llama
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

View all variants
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support