YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ONNX save_model file-like external-data cwd file-append PoC
This PoC demonstrates a verified ONNX issue in the shipped onnx 1.22.0 wheel:
- public API:
onnx.save_model() - trigger: saving attacker-controlled tensor data to a non-path writable file-like object
- effect: ONNX writes external tensor sidecar data into the process working directory
- stronger proven path: with
all_tensors_to_one_file=False, attacker-controlled tensor names become sidecar filenames and attacker-controlled tensor bytes are appended to the matching local file
Repo contents
repro.py: end-to-end reproducer that builds the malicious ONNX model in memory, saves it to a file-like wrapper, and proves local.envcorruption in the current working directoryREADME.md: impact summary and usage notes
What this proves
The PoC creates a benign local .env file, builds an ONNX model whose initializer is also named .env, and then calls:
onnx.save_model(
model,
FileStorage(stream=io.BytesIO(), filename="output.onnx", name="file"),
save_as_external_data=True,
all_tensors_to_one_file=False,
size_threshold=0,
)
Because ONNX trusts the wrapper .name metadata as if it were a real model path, the external-data write is anchored to the current working directory instead of an explicit trusted export directory. The local .env file ends up containing the appended attacker payload.
Run
python repro.py
Expected signal:
wrapper name: filecwd files: ['.env']appended payload: True
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support