ONNX INT4 Silent Weight Corruption PoC

Security Research Only โ€” Do NOT use this model for inference

Vulnerability

  • Package: onnx (PyPI, v1.21.0)
  • File: onnx/numpy_helper.py, function _unpack_4bit()
  • Code: result.resize(dims, refcheck=False) silently zero-pads when raw_data is smaller than dims
  • CVE: Pending (reported to Huntr)

Description

When loading an INT4/UINT4 tensor via numpy_helper.to_array(), if raw_data is smaller than the declared dims, _unpack_4bit() uses ndarray.resize() which silently pads with zeros instead of raising ValueError. Standard types (FLOAT, INT8, etc.) raise ValueError in the same case.

onnx.checker.check_model() does not detect this inconsistency.

Reproduction

import onnx
from onnx import numpy_helper

# Load this evil_int4.onnx
model = onnx.load("evil_int4.onnx")
onnx.checker.check_model(model)  # passes without error

init = model.graph.initializer[0]
print(f"raw_data length: {len(init.raw_data)} bytes")  # 2 bytes
print(f"dims: {list(init.dims)}")                       # [100]

arr = numpy_helper.to_array(init)
print(f"shape: {arr.shape}")          # (100,) โ€” silent success
print(f"zeros: {int((arr==0).sum())}/100")  # 96 zeros

Expected output:

raw_data length: 2 bytes
dims: [100]
shape: (100,)
zeros: 96/100

Affected Types

INT4, UINT4, FLOAT4E2M1, INT2, UINT2 (all sub-byte quantized types used in LLMs)

Uploaded by kevintsai1202 for responsible disclosure via Huntr.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support