Hugging Face's logo

pragnyanramtha
/
gguf-truncated-array-metadata-poc

GGUF
security
vulnerability
parser-dos
Model card Files
xet
 Community

Truncated GGUF Metadata Array Parser DoS / Metadata Spoof PoC

This is a benign model-format security PoC for GGUF metadata parsers.

The file poc_truncated_array_len_1000000.gguf is only 49 bytes. It declares one metadata key, x, as ARRAY<UINT8> with length 1,000,000, but it stores zero array element bytes.

Impact

Affected parsers should reject the file because the metadata array is truncated. Instead:

  • gguf==0.19.0 / GGUFReader walks the attacker-declared array length. The official gguf-dump CLI did not return within an 8-second local timeout.
  • @huggingface/gguf==0.4.2 returns metadata.x as an array of 1,000,000 zero values, even though the file contains no element bytes.
  • Native llama.cpp release b9113 rejects the same file cleanly with failed to read key-value pairs.
  • ModelScan 0.8.8 reports zero issues and scans zero files because .gguf is unsupported.

This is not ACE. The demonstrated impact is parser denial-of-service and metadata integrity loss in GGUF metadata tooling.

Files

  • poc_truncated_array_len_1000000.gguf - benign 49-byte PoC artifact.
  • generate_poc.py - recreates the PoC file.
  • verify_poc.py - validates Python gguf and ModelScan behavior.
  • verify_hf_gguf.mjs - validates @huggingface/gguf behavior.
  • results.json - captured local results.

Reproduce

Python parser / scanner check:

python -m venv .venv
. .venv/bin/activate
pip install -r requirements.txt
python verify_poc.py

Hugging Face JS GGUF parser check:

npm install
npm run verify:hf-gguf

Expected JS result:

{
  "ok": true,
  "fileSize": 49,
  "metadataXLength": 1000000,
  "first": 0,
  "last": 0
}

Local Version Evidence

  • Python: 3.12.12
  • gguf: 0.19.0
  • @huggingface/gguf: 0.4.2
  • ModelScan: 0.8.8
  • Native control: llama.cpp release b9113, version: 9113 (1ec7ba0c1)
  • Public redownload check: passed after upload from pragnyanramtha/gguf-truncated-array-metadata-poc.

Artifact Hash 

SHA256: 3062abcc0557ae41aca5aa4aa10c1e9eeb77c4e6034d57ec4d4706bc98efc18c
Size: 49 bytes

Mitigation

Reject GGUF strings, arrays, tensor metadata, and scalar reads when the declared byte range exceeds the file size. For arrays, validate both the declared element count and the cumulative size consumed by each element, and fail if an element read would not advance through valid bytes.

Downloads last month
92
GGUF
Model size
0 params
Architecture
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

View all variants
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support