metadata
license: openrail
tags:
- security
- adversarial
- tensorrt
- path-traversal
- zip-slip
- model-scanner-bypass
TensorRT TEA Path Traversal PoC
CVE: N/A (responsible disclosure) Type: Path Traversal (ZIP Slip) in TensorRT Engine Archive format Impact: Arbitrary file write → Remote Code Execution
Description
This PoC demonstrates a path traversal vulnerability in NVIDIA TensorRT's Engine Archive (TEA) format. The TEA format is a ZIP-based container used by TensorRT 10.0+ for engine serialization.
When IRuntime::deserializeCudaEngine() loads a .tea file, it extracts ZIP entries without validating paths. A malicious entry like ../../../tmp/evil.py escapes the extraction directory.
Contents
tea_path_traversal.tea- Malicious TEA archive containing:build_cfg.json(legitimate)plan_cfg.json(legitimate)engine.trt(legitimate stub)timing.cache(legitimate)../../../tmp/evil.py(path traversal → writes outside extraction dir)
Attack Vectors
- Arbitrary file write → RCE via cron, startup scripts, shared libraries
- Configuration injection via malicious
build_cfg.json - Prototype pollution via
__proto__in config - Symlink escape → information disclosure
References
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory
- CWE-494: Download of Code Without Integrity Check
- Similar: CVE-2022-31129 (zip4j path traversal)
Disclaimer
This PoC is provided for authorized security research and vulnerability disclosure only.