README.md

ONNX Runtime Vulnerability PoCs

Disclosed via huntr.com — ONNX MFV program

Proof-of-concept scripts demonstrating vulnerabilities in ONNX Runtime's sparse initializer and external data processing (tested on onnxruntime==1.24.1).

Setup

python3 -m venv venv
./venv/bin/pip install onnxruntime==1.24.1 onnx==1.20.1 numpy

PoCs

PoC A — Arbitrary File Read (sparse initializer path traversal)

./venv/bin/python pocs/onnx-sparse-traversal/poc.py

PoC B — Arbitrary File Read (bytes-loaded, empty base_dir)

./venv/bin/python pocs/onnx-path-traversal/poc.py

PoC C — Arbitrary Memory Read + Heap OOB Write

./venv/bin/python pocs/onnx-rce-escalation/poc_oob_write.py mem
./venv/bin/python pocs/onnx-rce-escalation/poc_oob_write.py oob

PoC D — Full RCE (glibc exit handler overwrite)

** Tested on Ubuntu with glibc 2.39. Offsets are glibc-version-specific.**

./venv/bin/python pocs/onnx-rce-escalation/poc_rce_glibc_exitfuncs.py