YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
OpenVINO Paddle Frontend Path Traversal PoC
This repository contains a minimal proof-of-concept for a path traversal issue in OpenVINO's Paddle frontend constant loader.
The PoC uses only a harmless sentinel tensor file:
OPENVINO_PADDLE_TRAVERSAL_PROOF
No real secrets or user data are included.
Summary
OpenVINO's Paddle frontend supports directory-style Paddle models where
model/__model__ stores the protobuf graph and persistable constants are loaded
as separate files relative to the model directory.
The frontend uses attacker-controlled protobuf variable names as filesystem path
components when loading constants. A persistable LOD_TENSOR variable named
../outside_const causes OpenVINO to open model/../outside_const, which is
outside the submitted model directory. The graph then routes that loaded
constant to an inference output.
Files
model/__model__: minimal directory-style Paddle model protobuf.outside_const: harmless tensor-formatted sentinel file outsidemodel/.reproduce_openvino_paddle_traversal.py: local reproduction script.requirements.txt: Python package requirement for reproduction.
Reproduction
python3 -m pip install -r requirements.txt
python3 reproduce_openvino_paddle_traversal.py
Expected output includes:
var_name=../outside_const
escaped_model_dir=True
openvino_paddle_load_with_escaped_file=ok
openvino_paddle_convert_outputs=1
openvino_infer_output=b'OPENVINO_PADDLE_TRAVERSAL_PROOF'
openvino_paddle_load_without_escaped_file=error ...
Impact
An attacker who can supply a directory-style Paddle model to an OpenVINO-based model loader, scanner, converter, CI job, or model-serving workflow can make OpenVINO load a file outside the submitted model directory as a constant and route those bytes to inference output.
This should not be treated as code execution or arbitrary write. It is a model-directory containment bypass with conditional out-of-directory file disclosure and model output manipulation impact.
Tested Version
- OpenVINO Python runtime:
2026.2.1-21919-ede283a88e3-releases/2026/2 - Source reviewed: OpenVINO commit
0b944b9
Safety
This PoC is intentionally non-destructive. It reads only the included sentinel
file outside_const and does not access any host secrets.