Orbax non-OCDBT absolute path injection PoC
Summary
This repository contains a harmless proof of concept for an absolute path injection issue in Orbax non-OCDBT PyTree checkpoint restoration.
A malicious checkpoint can inject an absolute filesystem path through its _METADATA file. During metadata-driven restoration, Orbax may load compatible Zarr data from outside the checkpoint directory.
The proof of concept uses only a controlled local directory under /tmp. It does not access sensitive files, execute commands, or use the network.
Tested version
orbax-checkpoint==0.12.0
Repository structure
malicious_checkpoint/
_METADATA
_CHECKPOINT_METADATA
params.bias/
params.weight/
controlled_outside/
.zarray
0
reproduce.py
generate_artifacts.py
requirements.txt
The malicious checkpoint intentionally does not contain an internal step/ directory.
Reproduction
Create a Python virtual environment and install the dependencies:
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
Run:
python reproduce.py
Expected output:
internal step directory exists: False
tensorstore path: /tmp/orbax-controlled-outside/
external value: 424242
POC SUCCESS
External Zarr data outside the checkpoint directory was loaded.
Security impact
This demonstrates a checkpoint directory boundary escape. A malicious non-OCDBT Orbax checkpoint can cause compatible local Zarr data outside the checkpoint directory to be loaded during restoration.
This proof of concept does not claim arbitrary file read or remote code execution.