---
license: openrail
tags:
- security
- adversarial
- tensorrt
- path-traversal
- zip-slip
- model-scanner-bypass
---

# TensorRT TEA Path Traversal PoC

**CVE:** N/A (responsible disclosure)
**Type:** Path Traversal (ZIP Slip) in TensorRT Engine Archive format
**Impact:** Arbitrary file write → Remote Code Execution

## Description

This PoC demonstrates a path traversal vulnerability in NVIDIA TensorRT's Engine Archive (TEA) format. The TEA format is a ZIP-based container used by TensorRT 10.0+ for engine serialization.

When `IRuntime::deserializeCudaEngine()` loads a `.tea` file, it extracts ZIP entries without validating paths. A malicious entry like `../../../tmp/evil.py` escapes the extraction directory.

## Contents

- `tea_path_traversal.tea` - Malicious TEA archive containing:
  - `build_cfg.json` (legitimate)
  - `plan_cfg.json` (legitimate)
  - `engine.trt` (legitimate stub)
  - `timing.cache` (legitimate)
  - `../../../tmp/evil.py` (path traversal → writes outside extraction dir)

## Attack Vectors

1. **Arbitrary file write** → RCE via cron, startup scripts, shared libraries
2. **Configuration injection** via malicious `build_cfg.json`
3. **Prototype pollution** via `__proto__` in config
4. **Symlink escape** → information disclosure

## References

- CWE-22: Improper Limitation of a Pathname to a Restricted Directory
- CWE-494: Download of Code Without Integrity Check
- Similar: CVE-2022-31129 (zip4j path traversal)

## Disclaimer

This PoC is provided for authorized security research and vulnerability disclosure only.