YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ONNX External Data β Content-Only Mutation (External Payload Runtime Authority)
Root Claim
External payload runtime authority without primary model integrity binding.
An ONNX model that uses the external data mechanism (TensorProto.data_location = EXTERNAL)
delegates weight tensors to a companion file (weights.bin). When no checksum key is present
in external_data, the ONNX spec does not require or perform any integrity verification of the
external file at load time.
This means: model.onnx can remain byte-for-byte identical while weights.bin is silently
replaced with different content, causing the runtime to produce different inference outputs with
zero warning and zero exception.
Mechanism
model.onnx (UNCHANGED β SHA256 identical before and after mutation)
ββ TensorProto W: data_location=EXTERNAL
external_data keys: ["location", "length"] β NO "checksum" key
location = "weights.bin"
weights.bin (CHANGED β content replaced)
clean: W = [[-1.0, 1.0]] β benign input scores -1.0 (negative), dangerous +1.0 (positive)
mutated: W = [[ 1.0, -1.0]] β benign input scores +1.0 (positive), dangerous -1.0 (negative)
The external file is visible on disk at the same filesystem path β not a stealth or concealed-file scenario. The substitution is
a content-level mutation at the same filesystem path. Any process that can write weights.bin
can flip the model's decision boundary without touching model.onnx.
Empirical Results
| Property | Value |
|---|---|
model.onnx SHA-256 (clean) |
a96a76b22b95b8696fe77a61a50751883b6b5d01af8c7e6af70d0d1e847889a1 |
model.onnx SHA-256 (mutated) |
a96a76b22b95b8696fe77a61a50751883b6b5d01af8c7e6af70d0d1e847889a1 |
model.onnx files identical |
YES |
weights.bin SHA-256 (clean) |
c1112024d84bac179cfda8df2d45cdb8cb941ec29f75e8cffa61c3b4c46d44a1 |
weights.bin SHA-256 (mutated) |
dee9bee38d8ce139ee23552fc0ca83067114ae903518d7711ba7937b72c0d697 |
| onnx.checker result (both) | PASS |
| shape_inference result (both) | PASS |
| Runtime output flip | YES (10/10 same-process, 5/5 subprocess) |
| Warnings emitted | 0 |
| Exceptions raised | 0 |
| checksum key present | False (both bundles) |
By-Design Acknowledgment
The ONNX specification explicitly defines checksum as an optional key in external_data.
The external data mechanism is an intended, documented feature of the format. This finding does
not claim the checksum field is broken or that the spec is incorrect.
The finding is: the absence of the checksum field creates a condition where runtime output
is fully determined by external file content, yet model.onnx integrity checks (hash, signature,
content scan) give a clean result for a semantically-mutated model.
Distinctness vs. CVE-2024-5187 / huntr 5e98c060
Prior submission 5e98c060 (CVE-2024-5187) addressed: checksum field present with an incorrect value is not enforced β silent load.
| Dimension | 5e98c060 | This finding (AI197/AI198) |
|---|---|---|
| checksum key present? | YES (wrong value) | NO |
| model.onnx changes on mutation? | YES | NO (identical) |
| Fix scope of 5e98c060 ("enforce checksum if present") | Addressed | Does NOT address |
| Root condition | Checksum enforcement gap | External payload authority gap |
The fix from 5e98c060 enforces the checksum when it exists. It does not add a checksum when none exists. Therefore, a model built without the checksum key (as in this package) is not covered by the existing fix.
File Layout
hf_package_onnx_external_data_content_only_authority/
βββ README.md β this file
βββ requirements.txt
βββ build.py β builds clean + mutated bundles from scratch
βββ reproduce.py β demonstrates content-only mutation at runtime
βββ checker.py β onnx.checker + shape_inference validation
βββ expected_output.txt β expected reproduce.py output for CI
βββ SHA256SUMS.txt β sha256 of all package files
βββ clean_savedmodel/
β βββ model.onnx
β βββ weights.bin
βββ mutated_savedmodel/
β βββ model.onnx β IDENTICAL to clean_savedmodel/model.onnx
β βββ weights.bin β DIFFERENT content
βββ artifacts/
βββ round_ai197_hash_matrix.json
βββ round_ai197_distinctness_vs_5e98c060.json
βββ round_ai198_checker_runtime_results.json
βββ round_ai198_package_filelist.json
βββ round_ai198_validation_results.json
Non-Claims
This finding does NOT claim any of the following:
- No code execution: does not involve remote code execution (RCE) or arbitrary code execution (ACE)
- No memory unsafety: does not involve memory corruption, buffer overflow, or heap exploitation
- No high/critical rating: no claim of High/Critical severity or CVSS β₯ 7.0
- No arbitrary output manipulation: scoped to same-path weights.bin content substitution only
- No primary scanner bypass claim: lack of scanner detection is a consequence, not the primary claim
- No OS permission bypass: does not bypass OS-level file permissions
The finding is scoped to: inference integrity under content-only mutation of the external weight file, with model.onnx unchanged and no runtime warning.
Reproduction
pip install -r requirements.txt
python reproduce.py
Expected output is in expected_output.txt. The checker can be verified independently:
python checker.py
Version Policy
requirements.txt specifies minimum versions (onnx>=1.16.0, onnxruntime>=1.16.0,
numpy>=1.24.0). Tested with: onnx==1.16.0, onnxruntime==1.23.2, numpy==2.2.6 on
Python 3.10 / aarch64 Linux.
Note: pip TMPDIR
On systems where $TMPDIR points to a small partition, pip may fail to extract large
wheels. If you encounter a disk-space error during install, set TMPDIR to a partition
with sufficient space (e.g., /tmp):
TMPDIR=/tmp pip install -r requirements.txt
python checker.py
python reproduce.py