YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

ONNX save_model file-like external-data cwd file-append PoC

This PoC demonstrates a verified ONNX issue in the shipped onnx 1.22.0 wheel:

  • public API: onnx.save_model()
  • trigger: saving attacker-controlled tensor data to a non-path writable file-like object
  • effect: ONNX writes external tensor sidecar data into the process working directory
  • stronger proven path: with all_tensors_to_one_file=False, attacker-controlled tensor names become sidecar filenames and attacker-controlled tensor bytes are appended to the matching local file

Repo contents

  • repro.py: end-to-end reproducer that builds the malicious ONNX model in memory, saves it to a file-like wrapper, and proves local .env corruption in the current working directory
  • README.md: impact summary and usage notes

What this proves

The PoC creates a benign local .env file, builds an ONNX model whose initializer is also named .env, and then calls:

onnx.save_model(
    model,
    FileStorage(stream=io.BytesIO(), filename="output.onnx", name="file"),
    save_as_external_data=True,
    all_tensors_to_one_file=False,
    size_threshold=0,
)

Because ONNX trusts the wrapper .name metadata as if it were a real model path, the external-data write is anchored to the current working directory instead of an explicit trusted export directory. The local .env file ends up containing the appended attacker payload.

Run

python repro.py

Expected signal:

  • wrapper name: file
  • cwd files: ['.env']
  • appended payload: True
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support