Open Neural Network Exchange Path Traversal Vulnerability via Symlink Allowing Arbitrary File Read

A path traversal vulnerability has been identified in Open Neural Network Exchange (ONNX) versions prior to 1.21.0. This vulnerability allows the reading of arbitrary files outside the model or user-provided directory, through the use of symbolic links. The issue arises because the symlink traversal is not properly validated, enabling models to reference external data files in a way that bypasses security checks.

Impact

Exploitation of this vulnerability allows for the reading of sensitive and arbitrary files from the host system, including environment variables. This could lead to the disclosure of confidential information such as passwords or other sensitive data.

Reproduction

To reproduce this vulnerability, create an ONNX model that references external data. After saving the model, remove the external data file and replace it with a symlink pointing to a sensitive file, such as '/etc/passwd'. When the model is loaded, the symlink will be followed, and the contents of the targeted file will be accessible.

Remediation

Users should update to ONNX version 1.21.0 or later, where this vulnerability has been patched.