Hugging Face's logo

ericblackgachara
/
onnx-dos-poc

ONNX
Model card Files
xet
 Community

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

ONNX DoS PoC β€” Unbounded Tensor Dimension in numpy_helper.to_array()

Vulnerability

The onnx Python package (v1.17.0) fails to validate tensor dimensions before allocating memory in onnx.numpy_helper.to_array(). A crafted .onnx model file with a BFLOAT16 tensor declaring dims=[10,000,000,000] but containing only 1 actual data element causes np.empty(shape) to request ~18.6 GiB of memory β€” crashing the process instantly.

  • CWE: CWE-789 β€” Memory Allocation with Excessive Size Value
  • CVSS: 7.5 High (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • Affected: onnx Python package, all versions through 1.17.0, all opset versions (tested 17 and 21)

Affected Code Paths

Three separate code paths in to_array() are vulnerable β€” all allocate based on attacker-controlled tensor.dims with no bounds check:

Data Type Line (~) Allocation Call Result
BFLOAT16 354 np.empty(shape, dtype=bfloat16) MemoryError in 0.00s
FLOAT8 variants 379 np.empty(shape, dtype=float8*) MemoryError in 0.00s
INT4 / UINT4 401 np.empty(len(data), dtype=uint8) ValueError in 0.00s

Files

File Description
craft_malicious_onnx.py Generates the 50-byte malicious .onnx file
demo_dos_onnx.py Runs the PoC with a 512 MB memory safety cap
malicious_onnx_dos.onnx The 50-byte malicious model file (opset 21)

Reproduction 

pip install onnx  # tested on 1.17.0

# Step 1: Generate malicious file (or use the included one)
python craft_malicious_onnx.py

# Step 2: Trigger the crash
python demo_dos_onnx.py

Expected Output 

[1] Loading malicious ONNX model: malicious_onnx_dos.onnx
    File size: 50 bytes
    Tensor dims: [10000000000]
    Actual data elements: 1

[3] Calling onnx.numpy_helper.to_array(tensor)...
    This will attempt to allocate np.empty([10000000000]) = ~18.6 GB

[CONFIRMED] MemoryError triggered after 0.00 seconds
    Error: Unable to allocate 18.6 GiB for an array with shape
    (10000000000,) and data type (numpy.uint16, [('bfloat16', '<u2')])

Impact

Any application calling onnx.numpy_helper.to_array() on an untrusted .onnx file is vulnerable. ONNX is the standard interoperability format between ML frameworks (PyTorch, TensorFlow, scikit-learn). Affected downstream systems include model conversion pipelines, inference servers, model hub validation tools, and CI/CD pipelines that process user-submitted models.

Disclosure

Submitted to huntr.com β€” ONNX (.onnx) Model File Format target.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support