Hugging Face's logo

paperboygold
/
gguf-nested-literals-poc

GGUF
poc
security
dos
conversational
Model card Files
xet
Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

Deeply Nested Template Literals DoS PoC

This repository contains a Proof of Concept (PoC) for a Denial of Service (DoS) vulnerability in llama.cpp's Jinja2 template parser.

Vulnerability

The Jinja2 template parser in llama.cpp (prior to the fix) uses unbounded recursion when parsing deeply nested array literals. A malicious chat template containing deeply nested brackets {{ [[[[...]]]] }} will crash the application with a Segmentation Fault (Stack Overflow) during parsing, before execution even begins.

This is distinct from the recursive macro vulnerability - this crashes during template PARSING, not EXECUTION.

Files

  • dos.gguf: A malicious GGUF model file containing a deeply nested template literal.

Reproduction

To reproduce the crash (on a vulnerable version):

./llama-cli -m dos.gguf -p "test"

The crash occurs immediately when the template is parsed, before any inference.

Technical Details

The malicious template contains 200 levels of nested array brackets:

{{ [[[[[[[[[[...1...]]]]]]]]]] }}

This exhausts the call stack in parser.cpp during parse_expression() calls.

Mitigation

This vulnerability is fixed by enforcing a parse depth limit (MAX_PARSE_DEPTH) in common/jinja/parser.cpp.

Downloads last month
-
GGUF
Model size
1B params
Architecture
llama
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

View all variants
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support