Orbax non-OCDBT absolute path injection PoC

Summary

This repository contains a harmless proof of concept for an absolute path injection issue in Orbax non-OCDBT PyTree checkpoint restoration.

A malicious checkpoint can inject an absolute filesystem path through its _METADATA file. During metadata-driven restoration, Orbax may load compatible Zarr data from outside the checkpoint directory.

The proof of concept uses only a controlled local directory under /tmp. It does not access sensitive files, execute commands, or use the network.

Tested version

orbax-checkpoint==0.12.0

Repository structure

malicious_checkpoint/
  _METADATA
  _CHECKPOINT_METADATA
  params.bias/
  params.weight/

controlled_outside/
  .zarray
  0

reproduce.py
generate_artifacts.py
requirements.txt

The malicious checkpoint intentionally does not contain an internal step/ directory.

Reproduction

Create a Python virtual environment and install the dependencies:

python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

Run:

python reproduce.py

Expected output:

internal step directory exists: False
tensorstore path: /tmp/orbax-controlled-outside/
external value: 424242

POC SUCCESS
External Zarr data outside the checkpoint directory was loaded.

Security impact

This demonstrates a checkpoint directory boundary escape. A malicious non-OCDBT Orbax checkpoint can cause compatible local Zarr data outside the checkpoint directory to be loaded during restoration.

This proof of concept does not claim arbitrary file read or remote code execution.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support