YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
coremltools .mlpackage path traversal (CWE-22) β proof of concept
Loading an attacker supplied .mlpackage with coremltools (PyPI 9.0) opens arbitrary out-of-package files. The Manifest.json path field is joined to the package directory with no containment check, so an absolute path or parent directory segments escape the package. Reachable from the public coremltools.utils.load_spec and coremltools.models.MLModel on Linux (the native libmodelpackage reader), so it fires on conversion and CI hosts, not just macOS.
Files
poc.pyβ self contained proof. Builds a Core ML model outside a package, then loads a malicious package that reads it back (out-of-package read), and a second package that opens/etc/passwdvia../traversal.malicious.mlpackage/β a sample package whose Manifest escapes to/etc/passwd.log.txtβ a captured run showing the out-of-package read and the traversal open.
Run
pip install coremltools
python3 poc.py
Impact
When the target file is a Core ML model, its contents are returned as the loaded spec, disclosing other models on a shared host. For any other file the loader still opens it, giving a file existence oracle and a denial of service when the path points at a blocking device or FIFO. Unauthenticated, runs with the loading process privileges.
Fix
Resolve the Manifest supplied path and verify it stays inside the package data directory before opening. Reject absolute paths and parent directory escapes. The validate check should test containment, not only existence.