Open Neural Network Exchange (ONNX) Path Traversal Vulnerability

GHSA-h36j-8vv3-cj52 · CVE-2024-7776 · PYSEC-2025-10

Published Mar 20, 2025 · Modified Mar 27, 2025

Description

A vulnerability in the download_model function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-7776
WEB https://github.com/onnx/onnx/pull/6222
WEB https://github.com/onnx/onnx/commit/1b70f9b673259360b6a2339c4bd97db9ea6e552f
PACKAGE https://github.com/onnx/onnx
WEB https://github.com/pypa/advisory-database/tree/main/vulns/onnx/PYSEC-2025-10.yaml
WEB https://huntr.com/bounties/a7a46cf6-1fa0-454b-988c-62d222e83f63

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes