Listen to this Post
The vulnerability stems from an ineffective symlink check in ONNX’s external data loading routine. When a model references external data via a `.data` file, the function `std::filesystem::is_regular_file` is used to verify the file type. However, this function follows symlinks internally—it calls `status(p)` which resolves the symlink and checks the target’s type. As a result, if a symlink points to a regular file (e.g., /etc/passwd), the check returns `true` and the loader proceeds. An attacker can supply a malicious ONNX model accompanied by a symlink named `model.data` that points to an arbitrary file on the victim’s system. When the victim loads the model, the loader resolves the symlink and reads the target file, exposing sensitive data. The issue is not limited to UNIX; Windows junctions/symlinks can also be abused. The patch replaces the filesystem check with `openat()` using `O_NOFOLLOW` and verifies the opened file descriptor to ensure it is a regular file, preventing symlink traversal.
Platform: ONNX Runtime
Version: ≤1.14.0
Vulnerability: Path Traversal
Severity: Medium
date: 2023-04-15
Prediction: 2023-05-20
What Undercode Say:
Create symlink pointing to sensitive file
ln -s /etc/passwd model.data
Load malicious model (symlink follows)
python -c "import onnx; onnx.load('model.onnx')"
Detect vulnerable version
pip show onnx | grep Version
Exploit:
1. Generate ONNX model with external data.
- Delete real data file; replace with symlink to target file.
3. Package model and symlink (e.g., in ZIP).
- Victim loads model → symlink read → file exfiltration.
Protection from this CVE
Apply patch that uses `openat(O_NOFOLLOW)` + fstat(S_ISREG). Avoid loading untrusted models. Use sandboxed environments.
Impact:
Arbitrary file read (e.g., /etc/passwd, /proc/1/environ). Exposure of secrets, credentials, and environment variables.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

