YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
TensorFlow.js (tfjs-node) โ arbitrary file read via weightsManifest path traversal (CWE-22)
Loading an untrusted TensorFlow.js model with @tensorflow/tfjs-node reads arbitrary host files.
A model is a model.json plus weight files named in weightsManifest[].paths. The Node filesystem
loader resolves each weight path with join(modelDir, path) and readFiles it, with no containment
check โ so weight paths containing ../ escape the model directory.
Reproduce
npm install @tensorflow/tfjs-nodeunzip poc.zip(givesmodel.jsonwith weightsManifest path../../../../../../../../etc/hostname, andpoc.js)node poc.js model.json- Output: the loaded model's weight buffer contains the bytes of
/etc/hostname(a file outside the model dir).
Affected API: tf.loadLayersModel('file://.../model.json'), tf.loadGraphModel(...), tf.io.fileSystem(...).load().
Root cause
tfjs-node/src/io/file_system.ts loadWeights():
const weightFilePath = join(dirName, path); const buffer = await readFile(weightFilePath);
No ../absolute rejection, no normalize, no startsWith(dir) containment.
Fix
Resolve and verify each weight path stays within the model directory; reject ../absolute paths.
Not a duplicate
No CVE/GHSA/OSV for @tensorflow/tfjs-node; no huntr report; web search found no matching advisory.