Back to Research
Deserialization Threats

GGUF Model Template Containing Arbitrary Code Execution Detected

Eresus Security Research TeamSecurity Researcher
April 10, 2026
2 min read

Overview

Machine learning models are traditionally developed using PyTorch or another framework, and then converted to GGUF. GGUF is a binary format optimized for quick loading and storing models. GGUF format is developed by the llama.cpp team, and is efficient for inference purposes.

The chat template is often used with large language models for prompt formatting. A potential security risk arises when a Jinja chat template is not rendered in a sandboxed environment, leading to possible arbitrary code execution. When a Jinja template is rendered in a sandboxed environment, any security concerns found in the template would raise an exception. Hence rendering a Jinja template in a sandboxed environment allows developers to ensure the Jinja template is safe to be loaded for any downstream tasks.

If a model reportedly has this issue it means:

  • The model is serialized using GGUF format.
  • The model contains potentially malicious code in its Jinja template which will execute when the model is loaded.

Key Points

  • GGUF models consists of tensors and a standardized set of metadata.
  • Chat format templates can be added as part of GGUF model metadata.
  • GGUF uses Jinja2 templating to format the prompt.
  • Attackers can insert malicious code in a Jinja template.
  • Loading a GGUF model which uses a Jinja template will execute any code (malicious or otherwise).
  • Only load models from trusted sources.

Impact

An attacker could exploit a compromised template to:

  • Access sensitive information (e.g., SSH keys, cloud credentials).
  • Execute malicious code on your system.
  • Use the compromised system as a vector for broader attacks.

Note: Malicious code execution using Jinja template can be achieved without impacting a models performance - the user may never know that the attack has happened or is ongoing.

Best Practices

You should:

  • Implement a vetting process for third-party models before use via Eresus Sentinel.
  • Use sandboxing techniques when loading untrusted models or rendering templates.

Remediation

GGUF models often come with Jinja templates. If possible load GGUF models using Jinja inside strictly sandboxed environments. If not possible, reach out to the model creator and alert them that the model has failed Eresus Security scan policies.