ONNX INT4 Silent Weight Corruption PoC
Security Research Only โ Do NOT use this model for inference
Vulnerability
- Package:
onnx(PyPI, v1.21.0) - File:
onnx/numpy_helper.py, function_unpack_4bit() - Code:
result.resize(dims, refcheck=False)silently zero-pads whenraw_datais smaller thandims - CVE: Pending (reported to Huntr)
Description
When loading an INT4/UINT4 tensor via numpy_helper.to_array(), if raw_data is smaller
than the declared dims, _unpack_4bit() uses ndarray.resize() which silently pads
with zeros instead of raising ValueError. Standard types (FLOAT, INT8, etc.) raise
ValueError in the same case.
onnx.checker.check_model() does not detect this inconsistency.
Reproduction
import onnx
from onnx import numpy_helper
# Load this evil_int4.onnx
model = onnx.load("evil_int4.onnx")
onnx.checker.check_model(model) # passes without error
init = model.graph.initializer[0]
print(f"raw_data length: {len(init.raw_data)} bytes") # 2 bytes
print(f"dims: {list(init.dims)}") # [100]
arr = numpy_helper.to_array(init)
print(f"shape: {arr.shape}") # (100,) โ silent success
print(f"zeros: {int((arr==0).sum())}/100") # 96 zeros
Expected output:
raw_data length: 2 bytes
dims: [100]
shape: (100,)
zeros: 96/100
Affected Types
INT4, UINT4, FLOAT4E2M1, INT2, UINT2 (all sub-byte quantized types used in LLMs)
Uploaded by kevintsai1202 for responsible disclosure via Huntr.
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support