CVE-2024-27318 Overview
CVE-2024-27318 is a Directory Traversal vulnerability affecting the Open Neural Network Exchange (ONNX) package versions up to and including 1.15.0. This vulnerability allows attackers to read arbitrary files outside the intended model directory by manipulating the external_data field within the tensor proto structure. Notably, this flaw serves as a bypass for the security patch previously implemented for CVE-2022-25882, indicating that the original fix was insufficient in preventing all traversal attack vectors.
Critical Impact
Attackers can exploit this vulnerability to access sensitive files outside the model directory, potentially exposing configuration files, credentials, or other confidential data on systems processing untrusted ONNX models.
Affected Products
- Linux Foundation ONNX versions up to and including 1.15.0
- Fedora 39 (packages using vulnerable ONNX versions)
- Fedora 40 (packages using vulnerable ONNX versions)
Discovery Timeline
- 2024-02-23 - CVE-2024-27318 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2024-27318
Vulnerability Analysis
The vulnerability resides in how ONNX handles external data references within tensor protocol buffer definitions. ONNX models can store large tensor data in external files to keep the main model file manageable. The external_data field in the tensor proto specifies the location of these external data files. However, insufficient path validation allows attackers to craft malicious ONNX models containing path traversal sequences (such as ../) that escape the intended model directory boundaries.
This vulnerability is particularly concerning because it bypasses the security controls implemented in response to CVE-2022-25882, suggesting the original patch did not account for all possible traversal techniques or edge cases. When a victim loads a maliciously crafted ONNX model, the parser follows the traversal path and reads file contents from arbitrary locations on the file system.
Root Cause
The root cause is improper input validation (CWE-22) in the path handling logic for external data references. The validation implemented to address CVE-2022-25882 failed to properly sanitize or restrict file paths specified in the external_data field, allowing attackers to use directory traversal sequences to reference files outside the model's designated directory or user-provided base path. The path normalization and boundary checking mechanisms were incomplete, enabling bypass techniques.
Attack Vector
This vulnerability is exploitable via network-based attacks where a victim is tricked into loading a malicious ONNX model. The attack scenario involves:
- An attacker crafts a malicious ONNX model file with the external_data field containing path traversal sequences pointing to sensitive files (e.g., /etc/passwd, configuration files, or application secrets)
- The malicious model is distributed to victims through model sharing platforms, supply chain compromise, or social engineering
- When the victim's application loads and processes the model, the ONNX library follows the traversal path and attempts to read the specified files
- The attacker gains unauthorized access to file contents, leading to information disclosure
The attack requires no authentication or user interaction beyond loading the malicious model, making it exploitable in automated ML pipeline environments where models may be fetched from external sources.
Detection Methods for CVE-2024-27318
Indicators of Compromise
- ONNX model files containing suspicious external_data paths with ../ or absolute path references
- Unexpected file access attempts from processes running ONNX-dependent applications
- Log entries showing file read operations targeting sensitive system files from ML/AI application contexts
- Model files with external data references pointing outside expected directories
Detection Strategies
- Implement file integrity monitoring on ONNX model repositories and model storage directories
- Monitor process behavior for ML applications attempting to access files outside designated model directories
- Deploy application-level logging to capture and alert on external data path resolution in ONNX model loading
- Use static analysis tools to scan ONNX models for suspicious external data references before deployment
Monitoring Recommendations
- Enable audit logging for file system access on systems processing ONNX models
- Monitor for unusual file read patterns from Python processes or applications using the ONNX library
- Implement network-level monitoring for downloads of ONNX model files from untrusted sources
- Set up alerts for access attempts to sensitive configuration files from ML pipeline processes
How to Mitigate CVE-2024-27318
Immediate Actions Required
- Upgrade ONNX to a version newer than 1.15.0 that includes the security fix
- Review and validate all ONNX models in use, especially those obtained from external sources
- Implement strict model provenance verification before loading any ONNX models
- Apply network segmentation to isolate ML processing systems from sensitive data stores
Patch Information
The Linux Foundation has addressed this vulnerability through a security commit. The fix is available in the ONNX GitHub repository. Users should update to the latest ONNX version that incorporates commit 66b7fb630903fdcf3e83b6b6d56d82e904264a20 or later. Fedora users should apply the updates announced in the Fedora package announcements.
Workarounds
- Implement application-level path validation before loading ONNX models to reject paths containing traversal sequences
- Run ONNX model processing in sandboxed or containerized environments with restricted file system access
- Only load ONNX models from trusted, verified sources with cryptographic signature validation
- Deploy chroot jails or similar isolation mechanisms for model processing workloads
# Configuration example - Upgrade ONNX using pip
pip install --upgrade onnx
# Verify installed version is patched
python -c "import onnx; print(onnx.__version__)"
# For Fedora users, apply system updates
sudo dnf update python3-onnx
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
