CVE-2024-7776: ONNX path traversal — HIGH

Q: Is CVE-2024-7776 actively exploited?

No confirmed active exploitation of CVE-2024-7776 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2024-7776?

1. Patch: Upgrade onnx to ≥1.17.0 immediately — this is the only complete fix. 2. Audit: Identify all pipeline components calling download_model() or loading tar-packaged ONNX models from external sources. 3. Source control: Whitelist model origins and enforce SHA-256 checksum verification before extraction. 4. Sandbox: Run model loading processes in low-privilege, filesystem-restricted environments (containers with read-only mounts outside the model directory). 5. Detection: Alert on tar/zip extraction creating files outside expected model directories; monitor for unexpected writes to ~/.ssh/, cron paths, or Python site-packages post model-load. 6. SBOM: Ensure onnx version is tracked in your software bill of materials for all AI-enabled products.

Q: What systems are affected by CVE-2024-7776?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML development environments, CI/CD ML pipelines, automated model fetching workflows.

Q: What is the CVSS score for CVE-2024-7776?

CVE-2024-7776 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 1.37%.

CISO Take

Any ML pipeline using onnx ≤1.16.1 to download models from untrusted sources is exposed to arbitrary file overwrite and potential RCE via malicious tar archives. Upgrade to onnx 1.17.0 immediately and audit all automated model-fetching workflows in your supply chain. Until patched, restrict model downloads to internal artifact registries with hash verification.

What is the risk?

High risk for ML teams that pull ONNX models from public registries, HuggingFace, or third-party sources. CVSS 8.1 with no privileges required, though user interaction is needed to trigger a model download. EPSS at 1.47% indicates low current exploitation activity, but the underlying technique (tar slip / path traversal) is well-documented and weaponizable by moderately skilled attackers. AI/ML inference hosts are high-value targets: RCE in these environments exposes training data, model IP, credentials, and downstream production systems.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
ONNX	pip	< 1.17.0	`1.17.0`
21.0K OpenSSF 8.8 1.2K dependents Pushed 3d ago 91% patched ~33d to patch Full package profile →

Do you use ONNX? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

1.4%

chance of exploitation in 30 days

Higher than 68% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C None

I High

A High

What should I do?

6 steps

Patch: Upgrade onnx to ≥1.17.0 immediately — this is the only complete fix.
Audit: Identify all pipeline components calling download_model() or loading tar-packaged ONNX models from external sources.
Source control: Whitelist model origins and enforce SHA-256 checksum verification before extraction.
Sandbox: Run model loading processes in low-privilege, filesystem-restricted environments (containers with read-only mounts outside the model directory).
Detection: Alert on tar/zip extraction creating files outside expected model directories; monitor for unexpected writes to ~/.ssh/, cron paths, or Python site-packages post model-load.
SBOM

Ensure onnx version is tracked in your software bill of materials for all AI-enabled products.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0002.001 - Models AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.3 - Supply chain of AI system components

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to address identified AI risks

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-7776?

Any ML pipeline using onnx ≤1.16.1 to download models from untrusted sources is exposed to arbitrary file overwrite and potential RCE via malicious tar archives. Upgrade to onnx 1.17.0 immediately and audit all automated model-fetching workflows in your supply chain. Until patched, restrict model downloads to internal artifact registries with hash verification.

Is CVE-2024-7776 actively exploited?

No confirmed active exploitation of CVE-2024-7776 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-7776?

1. Patch: Upgrade onnx to ≥1.17.0 immediately — this is the only complete fix. 2. Audit: Identify all pipeline components calling download_model() or loading tar-packaged ONNX models from external sources. 3. Source control: Whitelist model origins and enforce SHA-256 checksum verification before extraction. 4. Sandbox: Run model loading processes in low-privilege, filesystem-restricted environments (containers with read-only mounts outside the model directory). 5. Detection: Alert on tar/zip extraction creating files outside expected model directories; monitor for unexpected writes to ~/.ssh/, cron paths, or Python site-packages post model-load. 6. SBOM: Ensure onnx version is tracked in your software bill of materials for all AI-enabled products.

What systems are affected by CVE-2024-7776?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML development environments, CI/CD ML pipelines, automated model fetching workflows.

What is the CVSS score for CVE-2024-7776?

CVE-2024-7776 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 1.37%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesML development environmentsCI/CD ML pipelinesautomated model fetching workflows

MITRE ATLAS Techniques

AML.T0002.001 Models

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.

Exploitation Scenario

An adversary publishes a poisoned ONNX model to a public hub (e.g., HuggingFace, a model registry, or a typosquatted pip package). The malicious model archive embeds path traversal payloads in tar headers — e.g., entries named ../../.ssh/authorized_keys or ../../etc/cron.d/backdoor. When a data scientist or an automated training pipeline calls download_model() with the attacker's URL, the archive extracts attacker-controlled content to arbitrary filesystem locations. The adversary overwrites SSH authorized_keys for persistent access, injects a malicious Python package in site-packages for RCE on next import, or plants a cron job for scheduled callback — all without any indication to the victim beyond a successful-looking model download.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.