VYPR
← All advisories
High severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025

Arbitrary File Overwrite in onnx/onnx

CVE-2024-7776

Description

A vulnerability in the download_model function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path traversal vulnerability in ONNX's download_model function before v1.17 allows arbitrary file overwrite, potentially leading to remote command execution.

Vulnerability

Details

The ONNX (Open Neural Network Exchange) framework, version 1.16.1 and earlier, contains a vulnerability in the download_model function that fails to adequately prevent path traversal attacks when extracting tar files. The affected code uses tarfile.extractall() without properly sanitizing member paths, allowing a malicious tar archive to write files to arbitrary locations outside the intended extraction directory [1].

Exploitation

An attacker can exploit this by crafting a tar file containing members with directory traversal sequences (e.g., ../). When a user or automated process invokes download_model with the malicious tar, the framework extracts the file to a path outside the target directory. No authentication is required beyond the ability to supply the tar file to the function, making this a supply-chain-style attack vector where a compromised model repository or a man-in-the-middle could deliver the payload [2].

Impact

Successful exploitation allows arbitrary file overwrite in the user's filesystem. An attacker could overwrite critical system files, configuration files, or user scripts, potentially escalating to remote command execution depending on the overwritten file's context and privileges [1]. The ONNX ecosystem is widely used for AI model interoperability, increasing the potential reach of this vulnerability.

Mitigation

The ONNX project addressed this vulnerability in version 1.17 (commit 1b70f9b) by refactoring the tar extraction logic to use Python's tarfile.data_filter when available, which performs safer extraction [2][4]. Users should update to ONNX 1.17 or later. If upgrading is not possible, avoid downloading models from untrusted sources or manually verifying tar archives before extraction.

References
  1. NVD - CVE-2024-7776
  2. Refactor safe extract method to fix issue 6215 by liqunfu · Pull Request #6222 · onnx/onnx
  3. Refactor safe extract method to fix issue 6215 (#6222) · onnx/onnx@1b70f9b

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
onnxPyPI
< 1.17.01.17.0

Affected products

3

Patches

1
1b70f9b67325

Refactor safe extract method to fix issue 6215 (#6222)

https://github.com/onnx/onnxliqun FuJul 16, 2024via ghsa
commit
3 files changed · +72 50
  • onnx/backend/test/runner/__init__.py+1 3 modified
    @@ -10,7 +10,6 @@
 import re
 import shutil
 import sys
-import tarfile
 import tempfile
 import time
 import unittest
@@ -242,8 +241,7 @@ def download_model(
             )
             urlretrieve(model_test.url, download_file.name)
             print("Done")
-            with tarfile.open(download_file.name) as t:
-                t.extractall(models_dir)
+            onnx.utils._extract_model_safe(download_file.name, models_dir)
         except Exception as e:
             print(f"Failed to prepare data for model {model_test.model_name}: {e}")
             raise
  • onnx/hub.py+8 47 modified
    @@ -11,7 +11,6 @@
 import json
 import os
 import sys
-import tarfile
 from io import BytesIO
 from os.path import join
 from typing import IO, Any, Dict, List, cast
@@ -290,35 +289,6 @@ def load(
     return onnx.load(cast(IO[bytes], BytesIO(model_bytes)))
 
 
-def _tar_members_filter(tar: tarfile.TarFile, base: str) -> list[tarfile.TarInfo]:
-    """Check that the content of ``tar`` will be extracted safely
-
-    Args:
-        tar: The tarball file
-        base: The directory where the tarball will be extracted
-
-    Returns:
-        list of tarball members
-    """
-    result = []
-    for member in tar:
-        member_path = os.path.join(base, member.name)
-        abs_base = os.path.abspath(base)
-        abs_member = os.path.abspath(member_path)
-        if not abs_member.startswith(abs_base):
-            raise RuntimeError(
-                f"The tarball member {member_path} in downloading model contains "
-                f"directory traversal sequence which may contain harmful payload."
-            )
-        elif member.issym() or member.islnk():
-            raise RuntimeError(
-                f"The tarball member {member_path} in downloading model contains "
-                f"symbolic links which may contain harmful payload."
-            )
-        result.append(member)
-    return result
-
-
 def download_model_with_test_data(
     model: str,
     repo: str = "onnx/models:main",
@@ -393,23 +363,14 @@ def download_model_with_test_data(
                 "download the model from the model hub."
             )
 
-    with tarfile.open(local_model_with_data_path) as model_with_data_zipped:
-        # FIXME: Avoid index manipulation with magic numbers
-        local_model_with_data_dir_path = local_model_with_data_path[
-            0 : len(local_model_with_data_path) - 7
-        ]
-        # Mitigate tarball directory traversal risks
-        if hasattr(tarfile, "data_filter"):
-            model_with_data_zipped.extractall(
-                path=local_model_with_data_dir_path, filter="data"
-            )
-        else:
-            model_with_data_zipped.extractall(
-                path=local_model_with_data_dir_path,
-                members=_tar_members_filter(
-                    model_with_data_zipped, local_model_with_data_dir_path
-                ),
-            )
+    # FIXME: Avoid index manipulation with magic numbers,
+    # remove ".tar.gz"
+    local_model_with_data_dir_path = local_model_with_data_path[
+        0 : len(local_model_with_data_path) - 7
+    ]
+    onnx.utils._extract_model_safe(
+        local_model_with_data_path, local_model_with_data_dir_path
+    )
     model_with_data_path = (
         local_model_with_data_dir_path
         + "/"
  • onnx/utils.py+63 0 modified
    @@ -4,6 +4,7 @@
 from __future__ import annotations
 
 import os
+import tarfile
 
 import onnx.checker
 import onnx.helper
@@ -232,3 +233,65 @@ def extract_model(
     onnx.save(extracted, output_path)
     if check_model:
         onnx.checker.check_model(output_path)
+
+
+def _tar_members_filter(
+    tar: tarfile.TarFile, base: str | os.PathLike
+) -> list[tarfile.TarInfo]:
+    """Check that the content of ``tar`` will be extracted safely
+
+    Args:
+        tar: The tarball file
+        base: The directory where the tarball will be extracted
+
+    Returns:
+        list of tarball members
+    """
+    result = []
+    for member in tar:
+        member_path = os.path.join(base, member.name)
+        abs_base = os.path.abspath(base)
+        abs_member = os.path.abspath(member_path)
+        if not abs_member.startswith(abs_base):
+            raise RuntimeError(
+                f"The tarball member {member_path} in downloading model contains "
+                f"directory traversal sequence which may contain harmful payload."
+            )
+        elif member.issym() or member.islnk():
+            raise RuntimeError(
+                f"The tarball member {member_path} in downloading model contains "
+                f"symbolic links which may contain harmful payload."
+            )
+        result.append(member)
+    return result
+
+
+def _extract_model_safe(
+    model_tar_path: str | os.PathLike, local_model_with_data_dir_path: str | os.PathLike
+) -> None:
+    """Safely extracts a tar file to a specified directory.
+
+    This function ensures that the extraction process mitigates against
+    directory traversal vulnerabilities by validating or sanitizing paths
+    within the tar file. It also provides compatibility for different versions
+    of the tarfile module by checking for the availability of certain attributes
+    or methods before invoking them.
+
+    Args:
+        model_tar_path: The path to the tar file to be extracted.
+        local_model_with_data_dir_path: The directory path where the tar file
+      contents will be extracted to.
+    """
+    with tarfile.open(model_tar_path) as model_with_data_zipped:
+        # Mitigate tarball directory traversal risks
+        if hasattr(tarfile, "data_filter"):
+            model_with_data_zipped.extractall(
+                path=local_model_with_data_dir_path, filter="data"
+            )
+        else:
+            model_with_data_zipped.extractall(
+                path=local_model_with_data_dir_path,
+                members=_tar_members_filter(
+                    model_with_data_zipped, local_model_with_data_dir_path
+                ),
+            )

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.