GGUF / chat_template Jinja2-SSTI vein = SATURATED across listed consumers (cycle271 Phase-0, disclosure-gated pre-PoC)
Banked from cycle271 Phase-0. Thesis was strong (CVE-2024-34359 llama-cpp-python -> CVE-2026-5760 SGLang = a live, recurring "model file carries a Jinja2 chat_template, framework renders it UNSANDBOXED -> RCE" cluster). Disclosure-gate + source-audit DISQUALIFIED it on every huntr-listed consumer BEFORE any PoC compute. The value = the saturation map + the new doctrine.
The disclosure-gate map (as of 2026-06, listed huntr repos)
- llama-cpp-python (0.3.31): COMPREHENSIVELY fixed. EVERY render (chat, format-specific, function-calling) uses
jinja2.sandbox.ImmutableSandboxedEnvironment. Their CVE-2024-34359 fix was a full SWEEP, not a point-fix. WALK.
- transformers (HEAD): single
ImmutableSandboxedEnvironment (chat_template_utils.py), no unsandboxed sibling; added globals (raise_exception, tojson, strftime_now) expose no __globals__/eval. The EXACT class is 8x disclosed-and-rejected ("Informative") on huntr (reporter muraveyapp, 2026-05); the chat_template path-traversal variant is also dup'd. SATURATED-SURFACE.
- vLLM (HEAD): every model-supplied render is
ImmutableSandboxedEnvironment or delegates to HF/mistral; the reranker/scoring path (the SGLang sink) is a NON-Jinja f-string. Jinja surface already disclosed as CVE-2025-61620 (DoS, not RCE). WALK.
- SGLang: already CVE-2026-5760 (the unsandboxed reranker). Disclosed.
- ollama: Go
text/template (NOT Jinja2) - different engine, structurally RCE-poor (only funcmap funcs callable); no template-injection CVE (its CVEs are auto-updater/installer-hijack/Probllama path-traversal/heap). Heavily-researched target.
DOCTRINE (new)
- ImmutableSandboxedEnvironment is now the STANDARD for model-supplied chat-template rendering. The 2024 llama-drama lesson propagated: the major listed Python consumers all sandbox. A finder for this class must look at the LONG TAIL (a niche/new framework that re-implements rendering), NOT the big-3 - and those niche frameworks are usually NOT huntr-listed (unsubmittable). So the class is low-EV on listed repos.
- Disclosure-gate the CLASS, not just the sink. transformers' 8x-informative-rejected history is a CLASS-LEVEL saturation signal: when a huntr repo shows multiple "Informative" rejections of a vuln class, the class is triaged-as-known there -> deprioritize the whole class on that platform, not just the one sink. (Extends the SATURATED-SURFACE rule from RAGFlow to a PLATFORM-TRIAGE-HISTORY signal.)
- The disclosure-gate FLOOR paid off again: caught a strong-looking thesis as saturated with ZERO PoC compute (no venv, no malicious-GGUF craft, no live load). Same win-shape as RAGFlow cycle257. The cost of a thorough Phase-0 disclosure-gate << the cost of building a PoC for a dup.
- Sandbox-escape residue (parked, not pursued): the only non-saturated theoretical angle is a jinja2-LIBRARY sandbox escape (e.g. CVE-2025-27516
|attr breakout) reachable because a consumer pins jinja2>=3.1.0 (pre-3.1.6). That is an UPSTREAM jinja2 bug, already CVE'd, not a consumer-ownable bounty -> out of scope. Don't chase.
Net: model-file lane saturation tally now = ONNX (swept, cycle269) + Keras (saturated, cycle269) + GGUF-chat_template-SSTI (saturated, cycle271). The AI-model-file lane is HOT/well-researched (Protect AI + many researchers). Freshest-untouched-with-real-RCE residue = ExecuTorch (.pte, newer/less-examined) or TF SavedModel ($4000 but heavily researched); SafeTensors caps at OOB/DoS (RCE-impossible-by-design). Consider pivoting to a fresh Immunefi mid-tier where source-guided depth is less-contested.
Related: [[2026-06-21-cycle269-keras-model-load-saturated-disclosure-gate]], [[feedback_cross_fork_portlag_primitive]].