You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

OpenVINO Paddle Frontend Path Traversal PoC

This repository contains a minimal proof-of-concept for a path traversal issue in OpenVINO's Paddle frontend constant loader.

The PoC uses only a harmless sentinel tensor file:

OPENVINO_PADDLE_TRAVERSAL_PROOF

No real secrets or user data are included.

Summary

OpenVINO's Paddle frontend supports directory-style Paddle models where model/__model__ stores the protobuf graph and persistable constants are loaded as separate files relative to the model directory.

The frontend uses attacker-controlled protobuf variable names as filesystem path components when loading constants. A persistable LOD_TENSOR variable named ../outside_const causes OpenVINO to open model/../outside_const, which is outside the submitted model directory. The graph then routes that loaded constant to an inference output.

Files

  • model/__model__: minimal directory-style Paddle model protobuf.
  • outside_const: harmless tensor-formatted sentinel file outside model/.
  • reproduce_openvino_paddle_traversal.py: local reproduction script.
  • requirements.txt: Python package requirement for reproduction.

Reproduction

python3 -m pip install -r requirements.txt
python3 reproduce_openvino_paddle_traversal.py

Expected output includes:

var_name=../outside_const
escaped_model_dir=True
openvino_paddle_load_with_escaped_file=ok
openvino_paddle_convert_outputs=1
openvino_infer_output=b'OPENVINO_PADDLE_TRAVERSAL_PROOF'
openvino_paddle_load_without_escaped_file=error ...

Impact

An attacker who can supply a directory-style Paddle model to an OpenVINO-based model loader, scanner, converter, CI job, or model-serving workflow can make OpenVINO load a file outside the submitted model directory as a constant and route those bytes to inference output.

This should not be treated as code execution or arbitrary write. It is a model-directory containment bypass with conditional out-of-directory file disclosure and model output manipulation impact.

Tested Version

  • OpenVINO Python runtime: 2026.2.1-21919-ede283a88e3-releases/2026/2
  • Source reviewed: OpenVINO commit 0b944b9

Safety

This PoC is intentionally non-destructive. It reads only the included sentinel file outside_const and does not access any host secrets.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support