YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ONNX Runtime model-package session option overwrite PoC
This PoC demonstrates that ONNX Runtime model-package metadata in
variant.json can set session.optimized_model_filepath. When an application
loads the package through the experimental model-package API and calls
CreateSession(..., session_options = NULL, ...), ONNX Runtime merges the
package-provided session options and writes the optimized model to the path
chosen by the package metadata.
The proof writes only to a sentinel file inside a fresh temporary directory created by the reproducer. It does not access secrets, does not touch system paths, and does not write arbitrary shell-script bytes. The resulting file is ONNX/ORT optimized-model serialization derived from the attacker-controlled model package.
Tested Context
- Validated with ONNX Runtime
1.28.0.dev20260618002 - Requires API version
28 - Requires headers for:
onnxruntime_c_api.honnxruntime_experimental_c_api.h
- Requires an ONNX Runtime library exposing the experimental model-package API
Files
README.md
requirements.txt
reproduce_onnxruntime_model_package_overwrite.py
expected_output.txt
scripts/build_harness.sh
src/ort_model_package_overwrite_proof.cc
Reproduction
Install Python dependencies:
python3 -m pip install -r requirements.txt
Set the ONNX Runtime header and library locations. ORT_INCLUDE_DIR must point
to the directory containing onnxruntime_c_api.h and
onnxruntime_experimental_c_api.h.
export ORT_INCLUDE_DIR=/path/to/onnxruntime/include/onnxruntime/core/session
export ORT_LIB_DIR=/path/to/onnxruntime/lib
Run:
python3 reproduce_onnxruntime_model_package_overwrite.py
The script creates a fresh temporary model package, writes a sentinel file under that same temporary directory, builds the small C++ harness, calls the model-package API, and verifies that the sentinel file was replaced by optimized model serialization.
For a dry run that only generates and prints the package metadata:
python3 reproduce_onnxruntime_model_package_overwrite.py --dry-run
Expected Signal
Successful output includes:
header_ORT_API_VERSION=28
selected_variant=variant_1
create_session=success
sentinel_present_after=False
overwrite_verified=True
Impact Boundaries
The strongest honest impact is a local file overwrite primitive during model package loading/session creation. A malicious package can choose any path that the ONNX Runtime process is allowed to write. The content is structured optimized-model serialization, not arbitrary raw bytes.
This should not be described as direct code execution, arbitrary byte write, or
general impact on every ONNX model loading path. The validated trigger is the
experimental model-package API path where package metadata becomes session
configuration when the caller passes session_options = NULL.