CVE-2024-7776 — HIGH (CVSS 8.1) AI Security Vulnerability

Q: Is CVE-2024-7776 actively exploited?

No confirmed active exploitation of CVE-2024-7776 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2024-7776?

1. Patch: Upgrade onnx to ≥1.17.0 immediately — this is the only complete fix. 2. Audit: Identify all pipeline components calling download_model() or loading tar-packaged ONNX models from external sources. 3. Source control: Whitelist model origins and enforce SHA-256 checksum verification before extraction. 4. Sandbox: Run model loading processes in low-privilege, filesystem-restricted environments (containers with read-only mounts outside the model directory). 5. Detection: Alert on tar/zip extraction creating files outside expected model directories; monitor for unexpected writes to ~/.ssh/, cron paths, or Python site-packages post model-load. 6. SBOM: Ensure onnx version is tracked in your software bill of materials for all AI-enabled products.

Q: What systems are affected by CVE-2024-7776?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML development environments, CI/CD ML pipelines, automated model fetching workflows.

Q: What is the CVSS score for CVE-2024-7776?

CVE-2024-7776 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 5.26%.

CISO Take

Any ML pipeline using onnx ≤1.16.1 to download models from untrusted sources is exposed to arbitrary file overwrite and potential RCE via malicious tar archives. Upgrade to onnx 1.17.0 immediately and audit all automated model-fetching workflows in your supply chain. Until patched, restrict model downloads to internal artifact registries with hash verification.

Risk Assessment

High risk for ML teams that pull ONNX models from public registries, HuggingFace, or third-party sources. CVSS 8.1 with no privileges required, though user interaction is needed to trigger a model download. EPSS at 1.47% indicates low current exploitation activity, but the underlying technique (tar slip / path traversal) is well-documented and weaponizable by moderately skilled attackers. AI/ML inference hosts are high-value targets: RCE in these environments exposes training data, model IP, credentials, and downstream production systems.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
onnx	pip	< 1.17.0	`1.17.0`
20.8K OpenSSF 8.1 1.1K dependents Pushed 6d ago 90% patched ~29d to patch Full package profile →

Do you use onnx? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

5.3%

chance of exploitation in 30 days

Higher than 90% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C None

I High

A High

Recommended Action

6 steps

Patch: Upgrade onnx to ≥1.17.0 immediately — this is the only complete fix.
Audit: Identify all pipeline components calling download_model() or loading tar-packaged ONNX models from external sources.
Source control: Whitelist model origins and enforce SHA-256 checksum verification before extraction.
Sandbox: Run model loading processes in low-privilege, filesystem-restricted environments (containers with read-only mounts outside the model directory).
Detection: Alert on tar/zip extraction creating files outside expected model directories; monitor for unexpected writes to ~/.ssh/, cron paths, or Python site-packages post model-load.
SBOM

Ensure onnx version is tracked in your software bill of materials for all AI-enabled products.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Model AML.T0002.001 - Models AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.3 - Supply chain of AI system components

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to address identified AI risks

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-7776?

Any ML pipeline using onnx ≤1.16.1 to download models from untrusted sources is exposed to arbitrary file overwrite and potential RCE via malicious tar archives. Upgrade to onnx 1.17.0 immediately and audit all automated model-fetching workflows in your supply chain. Until patched, restrict model downloads to internal artifact registries with hash verification.

Is CVE-2024-7776 actively exploited?

No confirmed active exploitation of CVE-2024-7776 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-7776?

1. Patch: Upgrade onnx to ≥1.17.0 immediately — this is the only complete fix. 2. Audit: Identify all pipeline components calling download_model() or loading tar-packaged ONNX models from external sources. 3. Source control: Whitelist model origins and enforce SHA-256 checksum verification before extraction. 4. Sandbox: Run model loading processes in low-privilege, filesystem-restricted environments (containers with read-only mounts outside the model directory). 5. Detection: Alert on tar/zip extraction creating files outside expected model directories; monitor for unexpected writes to ~/.ssh/, cron paths, or Python site-packages post model-load. 6. SBOM: Ensure onnx version is tracked in your software bill of materials for all AI-enabled products.

What systems are affected by CVE-2024-7776?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML development environments, CI/CD ML pipelines, automated model fetching workflows.

What is the CVSS score for CVE-2024-7776?

CVE-2024-7776 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 5.26%.

Technical Details

NVD Description

A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.

Exploitation Scenario

An adversary publishes a poisoned ONNX model to a public hub (e.g., HuggingFace, a model registry, or a typosquatted pip package). The malicious model archive embeds path traversal payloads in tar headers — e.g., entries named ../../.ssh/authorized_keys or ../../etc/cron.d/backdoor. When a data scientist or an automated training pipeline calls download_model() with the attacker's URL, the archive extracts attacker-controlled content to arbitrary filesystem locations. The adversary overwrites SSH authorized_keys for persistent access, injects a malicious Python package in site-packages for RCE on next import, or plants a cron job for scheduled callback — all without any indication to the victim beyond a successful-looking model download.