CVE-2025-51480 Overview
CVE-2025-51480 is a path traversal vulnerability in the Open Neural Network Exchange (ONNX) library version 1.17.0. The flaw resides in the onnx.external_data_helper.save_external_data function, which fails to sanitize user-controlled external_data.location values. Attackers can supply crafted traversal sequences such as ../ to escape the intended output directory and overwrite arbitrary files on the host. Successful exploitation requires a victim to process a malicious ONNX model, enabling file overwrite that can lead to code execution or system compromise. The issue is tracked under CWE-22 and documented in the GitHub Security Advisory GHSA-6rq9-53c3-f7vj.
Critical Impact
Attackers can overwrite arbitrary files on systems that load malicious ONNX models, leading to integrity loss and potential code execution in machine learning pipelines.
Affected Products
- Linux Foundation ONNX 1.17.0
- Python applications using onnx.external_data_helper.save_external_data
- Machine learning pipelines that load untrusted ONNX models with external data references
Discovery Timeline
- 2025-07-22 - CVE-2025-51480 published to the National Vulnerability Database (NVD)
- 2025-10-08 - Last updated in NVD database
Technical Details for CVE-2025-51480
Vulnerability Analysis
The vulnerability exists in ONNX's external data handling logic. ONNX models can store tensor data outside the protobuf file by referencing external files through the external_data.location attribute. The save_external_data function in onnx.external_data_helper writes tensor payloads to the path specified by this attribute.
The function joins the user-supplied location with a base directory without validating that the resulting path stays within that directory. Crafted location values containing ../ sequences resolve to paths outside the intended output folder. This permits an attacker to overwrite arbitrary files writable by the process running the ONNX tooling.
In machine learning workflows, ONNX models often come from third-party model hubs, customer uploads, or shared registries. Processing an untrusted model with external data references is sufficient to trigger the flaw. The impact extends to integrity, confidentiality, and availability when overwritten files include configuration, scripts, or binaries loaded later by the application.
Root Cause
The root cause is missing path canonicalization and containment checks before writing external tensor data. The library trusts the location field embedded in the model rather than enforcing that the final resolved path remains inside the designated external data directory.
Attack Vector
Exploitation requires an attacker to deliver a crafted ONNX model to a victim who invokes a save or conversion routine that calls save_external_data. The attack is network-reachable through model distribution channels and requires user interaction to load the model. No authentication is needed if the application accepts uploaded or remotely fetched models.
For technical details, see the Gecko Security analysis and the upstream fixes in pull request 6959 and pull request 7040.
Detection Methods for CVE-2025-51480
Indicators of Compromise
- ONNX model files containing external_data.location values with ../, absolute paths, or other traversal sequences
- Unexpected file writes outside the configured ONNX external data directory during model save or conversion
- Modified system files, Python site-packages, or configuration files following ONNX model processing
Detection Strategies
- Statically scan ONNX models before processing and reject any model whose external_data.location resolves outside the intended directory after canonicalization
- Monitor process file write activity during ONNX operations and alert on writes to paths outside the designated model workspace
- Audit Python dependency manifests for onnx==1.17.0 and flag environments still running the vulnerable version
Monitoring Recommendations
- Log all invocations of onnx.external_data_helper.save_external_data along with resolved output paths
- Enable filesystem auditing on directories adjacent to ML model storage to capture unauthorized writes
- Track ingress of ONNX models from external sources and correlate with downstream file modifications
How to Mitigate CVE-2025-51480
Immediate Actions Required
- Upgrade ONNX beyond 1.17.0 to a release containing the fixes from pull request 6959 and pull request 7040
- Validate and canonicalize external_data.location values in any custom ONNX processing code before invoking save routines
- Restrict the file system permissions of accounts running ONNX tooling to limit the blast radius of file overwrites
Patch Information
The ONNX maintainers addressed the issue in upstream merge requests #6959 and #7040. Refer to the GitHub Security Advisory GHSA-6rq9-53c3-f7vj for the authoritative fixed version range and upgrade guidance.
Workarounds
- Reject ONNX models from untrusted sources until the library is upgraded
- Run ONNX model processing inside a sandbox or container with read-only mounts for sensitive directories
- Implement a pre-processing filter that rewrites or removes external_data.location fields containing traversal characters before save operations
# Configuration example: upgrade ONNX and verify the installed version
pip install --upgrade "onnx>1.17.0"
python -c "import onnx; print(onnx.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
