You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

ONNX Runtime model-package session option overwrite PoC

This PoC demonstrates that ONNX Runtime model-package metadata in variant.json can set session.optimized_model_filepath. When an application loads the package through the experimental model-package API and calls CreateSession(..., session_options = NULL, ...), ONNX Runtime merges the package-provided session options and writes the optimized model to the path chosen by the package metadata.

The proof writes only to a sentinel file inside a fresh temporary directory created by the reproducer. It does not access secrets, does not touch system paths, and does not write arbitrary shell-script bytes. The resulting file is ONNX/ORT optimized-model serialization derived from the attacker-controlled model package.

Tested Context

  • Validated with ONNX Runtime 1.28.0.dev20260618002
  • Requires API version 28
  • Requires headers for:
    • onnxruntime_c_api.h
    • onnxruntime_experimental_c_api.h
  • Requires an ONNX Runtime library exposing the experimental model-package API

Files

README.md
requirements.txt
reproduce_onnxruntime_model_package_overwrite.py
expected_output.txt
scripts/build_harness.sh
src/ort_model_package_overwrite_proof.cc

Reproduction

Install Python dependencies:

python3 -m pip install -r requirements.txt

Set the ONNX Runtime header and library locations. ORT_INCLUDE_DIR must point to the directory containing onnxruntime_c_api.h and onnxruntime_experimental_c_api.h.

export ORT_INCLUDE_DIR=/path/to/onnxruntime/include/onnxruntime/core/session
export ORT_LIB_DIR=/path/to/onnxruntime/lib

Run:

python3 reproduce_onnxruntime_model_package_overwrite.py

The script creates a fresh temporary model package, writes a sentinel file under that same temporary directory, builds the small C++ harness, calls the model-package API, and verifies that the sentinel file was replaced by optimized model serialization.

For a dry run that only generates and prints the package metadata:

python3 reproduce_onnxruntime_model_package_overwrite.py --dry-run

Expected Signal

Successful output includes:

header_ORT_API_VERSION=28
selected_variant=variant_1
create_session=success
sentinel_present_after=False
overwrite_verified=True

Impact Boundaries

The strongest honest impact is a local file overwrite primitive during model package loading/session creation. A malicious package can choose any path that the ONNX Runtime process is allowed to write. The content is structured optimized-model serialization, not arbitrary raw bytes.

This should not be described as direct code execution, arbitrary byte write, or general impact on every ONNX model loading path. The validated trigger is the experimental model-package API path where package metadata becomes session configuration when the caller passes session_options = NULL.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support