I'd be curious if there's an LLM prompt equivalent of a zip bomb that will explode the context window. I know there's deterministic limits on context window, but future LLMs _are_ going to have strange loops and going to be very susceptible to circular reasoning.

Before AGI, there will be a untenable gullible general intelligence.

    x_(n+1) = A * x_n (1 - x_n) 

A few years ago David Fitfield invented a technique which provides a million-to-one non-recursive expansion, by overlapping the file streams: https://www.bamsoftware.com/hacks/zipbomb/

    from fastapi import FastAPI
    from starlette.responses import StreamingResponse
    from fastapi.middleware.gzip import GZipMiddleware
    
    app = FastAPI()
    
    app.add_middleware(GZipMiddleware, minimum_size=0, compresslevel=9)
    
    def lol_generator():
        while True:
            yield "LOL\n"
    
    @app.get("/")
    def stream_text():
        return StreamingResponse(lol_generator(), media_type="text/plain")

> Now I read articles like this one talking about "oh yeah Evolution filled up 100GB of space" like that's no big deal.

Is this actually a practical issue though? Windows, Mac and Linux all support transparent compression at the filesystem level, so 100GB of /dev/zero isnt actually going to fill much space at all.

I don't think you can do it with Jpeg, but you could probably do it with PNG which is basically using the same compression algorithm as zip.

Not what you were asking for but my favorite valid image is exploit code as PNG image data. It's just pixels in specific colors that, after compression, have the bytes in the file spell out something like <script>alert(1)</script>

I consulted for a bank once where the server stripped metadata and re-encoded images from scratch again and the devs thought that would remove any maliciousness. It's just pixels right? I might have thought so as well, but I had this idea and wanted to double check, and it didn't take long to find someone smarter than me had already done the work: https://web.archive.org/web/20250713054441/http://www.idontp... (By now I see there are a dozen commercial parties that rank higher for this topic. Marginalia search helped me re-find the OG post just now)

Edit, thought I should add: the solution is to specify the correct content type. Don't let your PHP interpreter interpret files in the user uploads directory. Don't serve images with content-type text/html because the browser will interpret it as HTML (as instructed) and run any code inside on your domain ('origin'). Mark data as separate from code whenever possible, or escape it when that's impossible

> it’s a good way to make an email that looks completely different depending on which client it’s opened in.

Well, for that use the differences in HTML&CSS support and filtering ...

I guess the reason they added this was that they noticed many mails contain same tracking images and decided to cut of tracking data that way.

Most things are trivial to prevent if you know of and think to check for them.

> I'm sure there are zip-bomb equivalents in binary formats like .xlsx, PDF, .docx, etc.

Yes. Both, docx and xlsx are literally just a zip of XML files with a different extension. PDF can contain zlib streams, which use deflate compression just as gzip, so all the mentioned methods apply to all three formats.

In addition to zip bombing AIs with file parsers, I've wondered about 'context bombs' in the sense of trigger phrases that trip up LLMs into getting stuck into repeating phrases or reasoning evaluations without ever hitting an end of sequence (EOS) token, thus running a system up against API call limits / burning credits / effectively ddosing services etc.

Due to the inherent fuzziness/diversity in all models right now I don't think there is a universal approach to this idea but it is something people deploying these systems may want to try and detect.