AI Threat Alert

CVE-2024-5187: ONNX: path traversal in model download enables RCE

GHSA-6rq9-53c3-f7vj HIGH PoC AVAILABLE CISA: ATTEND
Published June 6, 2024
CISO Take

ONNX versions before 1.16.2 allow arbitrary file overwrite via malicious tar archives when calling download_model_with_test_data, enabling RCE through SSH key injection or cron job tampering. Patch to onnx>=1.16.2 immediately and audit any automated pipeline that fetches ONNX models from external or untrusted sources. Apply container isolation and restrict filesystem write permissions for all ML workloads as defense-in-depth.

What is the risk?

CVSS 8.8 High with network reachability and no privilege requirement. The 'user interaction required' rating is misleading in ML contexts: automated CI/CD pipelines and model download scripts eliminate this barrier entirely, making exploitation effectively zero-click in common deployments. EPSS of 1.4% reflects low current active exploitation, but path traversal via tar is a trivial, well-documented technique requiring no ML expertise. Any ONNX deployment that automates model fetching from external sources is at high risk of full host compromise.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
ONNX pip < 1.16.2 1.16.2
21.0K OpenSSF 8.8 1.2K dependents Pushed 3d ago 91% patched ~33d to patch Full package profile →

Do you use ONNX? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
1.2%
chance of exploitation in 30 days
Higher than 64% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch immediately: upgrade to onnx>=1.16.2.

  2. Audit codebases for any calls to download_model_with_test_data or custom tar extraction code using ONNX <1.16.2.

  3. Only ingest ONNX models from cryptographically verified, internally mirrored sources — validate SHA256 checksums before any extraction.

  4. Run ML workloads in containers with read-only host mounts and minimal filesystem permissions; no Python process should have write access outside its working directory.

  5. Detection: alert on unexpected writes to ~/.ssh/, /etc/cron.d/, /etc/sudoers.d/, or /etc/passwd originating from Python or ONNX processes.

  6. Implement pre-extraction scanning of tar/zip archives in any pipeline that ingests external model files.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0002.001 AML.T0010.001 AML.T0011 AML.T0011.000

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.3 - Supply Chain for AI Systems
NIST AI RMF
MANAGE-2.2 - Treatments, Responses, and Adjustments for AI Risks
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-5187?

ONNX versions before 1.16.2 allow arbitrary file overwrite via malicious tar archives when calling download_model_with_test_data, enabling RCE through SSH key injection or cron job tampering. Patch to onnx>=1.16.2 immediately and audit any automated pipeline that fetches ONNX models from external or untrusted sources. Apply container isolation and restrict filesystem write permissions for all ML workloads as defense-in-depth.

Is CVE-2024-5187 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-5187, increasing the risk of exploitation.

How to fix CVE-2024-5187?

1. Patch immediately: upgrade to onnx>=1.16.2. 2. Audit codebases for any calls to download_model_with_test_data or custom tar extraction code using ONNX <1.16.2. 3. Only ingest ONNX models from cryptographically verified, internally mirrored sources — validate SHA256 checksums before any extraction. 4. Run ML workloads in containers with read-only host mounts and minimal filesystem permissions; no Python process should have write access outside its working directory. 5. Detection: alert on unexpected writes to ~/.ssh/, /etc/cron.d/, /etc/sudoers.d/, or /etc/passwd originating from Python or ONNX processes. 6. Implement pre-extraction scanning of tar/zip archives in any pipeline that ingests external model files.

What systems are affected by CVE-2024-5187?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps/CI-CD pipelines, model registries.

What is the CVSS score for CVE-2024-5187?

CVE-2024-5187 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.18%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps/CI-CD pipelinesmodel registries

MITRE ATLAS Techniques

AML.T0002.001 Models
AML.T0010.001 AI Software
AML.T0011 User Execution
AML.T0011.000 Unsafe AI Artifacts

Compliance Controls Affected

EU AI Act: Art.15
ISO 42001: A.6.2.3
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

A vulnerability in the `download_model_with_test_data` function of the onnx/onnx framework, versions before 1.16.2, allow for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability enables attackers to overwrite any file on the system, potentially leading to remote code execution, deletion of system, personal, or application files, thus impacting the integrity and availability of the system. The issue arises from the function's handling of tar file extraction without performing security checks on the paths within the tar file, as demonstrated by the ability to overwrite the `/home/kali/.ssh/authorized_keys` file by specifying an absolute path in the malicious tar file.

Exploitation Scenario

An adversary publishes a malicious ONNX model to a public repository or a compromised internal model registry. The tar archive embedded in the model package contains a file entry with an absolute path such as /home/mluser/.ssh/authorized_keys or /etc/cron.d/ml-backdoor. When a data scientist or an automated CI/CD pipeline calls download_model_with_test_data on this model URL — a common step in model benchmarking or testing workflows — the extraction routine writes the attacker's content to the specified absolute path without validation. The attacker now holds persistent SSH access to the ML training server or model serving host, enabling exfiltration of proprietary weights, training data, API keys in environment files, and lateral movement into the broader cloud environment.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
June 6, 2024
Last Modified
January 27, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-28500 9.1

onnx: Integrity Verification bypass enables tampering

Same package: onnx
HIGH CVE-2026-34445 8.6

ONNX: property overwrite via crafted model file

Same package: onnx
HIGH CVE-2024-7776 8.1

ONNX: path traversal in download_model enables RCE

Same package: onnx
HIGH GHSA-q56x-g2fj-4rj6 7.1

onnx: TOCTOU symlink following enables arbitrary file write

Same package: onnx
MEDIUM CVE-2026-55832 6.1

tract-onnx: path traversal exposes arbitrary local files

Same package: onnx
Back to Threat Feed