CVE-2024-5187 Overview
CVE-2024-5187 is a path traversal vulnerability [CWE-22] in the download_model_with_test_data function of the onnx/onnx machine learning framework, version 1.16.0. The function extracts tar archives without validating entry paths, allowing a malicious archive to write files to arbitrary locations on the host filesystem. Attackers can overwrite system, application, or user files by crafting a tar entry with an absolute path or ../ traversal sequence. The Huntr bounty report demonstrates overwriting /home/kali/.ssh/authorized_keys to achieve remote code execution through SSH key implantation.
Critical Impact
Arbitrary file overwrite leading to remote code execution when a user downloads a malicious ONNX model archive.
Affected Products
- Linux Foundation ONNX 1.16.0
- Applications that invoke onnx.hub.download_model_with_test_data
- ML pipelines consuming ONNX models from untrusted registries or hubs
Discovery Timeline
- 2024-06-06 - CVE-2024-5187 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-5187
Vulnerability Analysis
The download_model_with_test_data function retrieves an ONNX model package as a tar archive and extracts its contents to the local filesystem. The extraction routine iterates over members of the tar file and writes each entry to disk using the path embedded in the archive header. The function does not normalize, canonicalize, or restrict those paths to the intended extraction directory.
An attacker who controls the contents of a published model can include tar members with absolute paths such as /home/<user>/.ssh/authorized_keys or relative paths containing ../ sequences. When a victim invokes the function against the malicious model, the Python tarfile extraction writes attacker-controlled bytes to those arbitrary locations with the privileges of the running process.
The Huntr report confirms file overwrite of SSH authorized keys, which converts a model download into persistent remote access. The same primitive can be redirected to overwrite cron files, shell startup scripts, Python site-packages, or service unit files, yielding code execution.
Root Cause
The root cause is unsafe use of tarfile.extractall (or an equivalent loop) without member validation. Tar archives carry per-entry pathnames that are honored verbatim during extraction. Without a guard that rejects absolute paths and paths resolving outside the destination directory, the Zip Slip class of path traversal applies directly to tar handling.
Attack Vector
Exploitation requires the victim to call download_model_with_test_data against an attacker-controlled model identifier or URL. The attacker hosts a tar archive containing a malicious path entry. No authentication or elevated privilege is needed on the target. User interaction is limited to initiating the download, which is routine in ML workflows that pull pre-trained models from public hubs.
For technical reproduction details, see the Huntr Bounty Report.
Detection Methods for CVE-2024-5187
Indicators of Compromise
- Unexpected writes to ~/.ssh/authorized_keys, ~/.bashrc, ~/.profile, or cron paths originating from a Python process running onnx.
- New or modified files outside the expected ONNX cache directory (typically ~/.onnx/ or a user-specified models directory) following a model download.
- Tar archive members whose names begin with / or contain ../ when inspected with tar -tvf <archive>.
- Outbound network connections to untrusted hosts immediately prior to filesystem modifications by Python interpreters.
Detection Strategies
- Hook or audit calls to onnx.hub.download_model_with_test_data in CI/CD and developer environments and log the model source URL.
- Use file integrity monitoring on sensitive paths such as ~/.ssh/, /etc/cron.*, /etc/systemd/system/, and Python site-packages directories.
- Inspect tar archives before extraction with a static check that rejects absolute paths and traversal sequences.
Monitoring Recommendations
- Alert on Python processes writing to authentication-related files outside their working directory.
- Track installed ONNX versions across data science workstations and ML build agents to identify hosts still running 1.16.0.
- Correlate model download events with subsequent filesystem and process activity to surface post-extraction execution chains.
How to Mitigate CVE-2024-5187
Immediate Actions Required
- Upgrade onnx beyond 1.16.0 to a version that includes the path traversal fix.
- Audit ML pipelines and notebooks for calls to download_model_with_test_data and restrict the model sources they accept.
- Run model download and conversion workloads under a non-privileged service account with no write access to SSH or system configuration paths.
- Review SSH authorized_keys, cron entries, and shell startup files on hosts that executed the vulnerable function against untrusted models.
Patch Information
Upgrade to a fixed onnx release published after 1.16.0. Verify the installed version with pip show onnx and confirm the package source against a trusted index. Refer to the Huntr Bounty Report for fix references.
Workarounds
- Avoid calling download_model_with_test_data against untrusted model identifiers until upgrading.
- Pre-validate tar archives by rejecting any member whose resolved path falls outside the intended extraction directory.
- Execute ONNX model downloads inside a sandboxed container with a read-only host filesystem and ephemeral storage.
- Pin ONNX models by hash and host them on an internal registry rather than fetching from public sources at runtime.
# Safe tar inspection before extraction
python - <<'EOF'
import tarfile, os, sys
path = sys.argv[1] if len(sys.argv) > 1 else 'model.tar.gz'
with tarfile.open(path) as tf:
for m in tf.getmembers():
resolved = os.path.normpath(m.name)
if m.name.startswith('/') or resolved.startswith('..'):
print(f'UNSAFE ENTRY: {m.name}')
sys.exit(1)
print('archive paths look safe')
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
