Open Neural Network Exchange Symlink Traversal Vulnerability Allowing Arbitrary File Read

A symlink traversal vulnerability has been identified in Open Neural Network Exchange (ONNX) versions prior to 1.21.0. This vulnerability allows external data loading to read files outside the model directory, leading to arbitrary file read and potential confidentiality breaches. The issue arises because the function responsible for resolving external data locations does not properly handle symlinks, allowing them to escape the intended directory confinement.

Impact

Exploitation of this vulnerability allows for arbitrary file reading from outside the model directory, which could lead to unauthorized access to sensitive information.

Reproduction

The vulnerability can be reproduced by creating a model that includes an external tensor reference. This reference can be manipulated to point to a file outside the model directory by using a symlink. Once the model is loaded, the external data loading function will follow the symlink and read the target file, confirming the vulnerability.

Remediation

Users should update ONNX to version 1.21.0 or later, where this vulnerability has been patched.