CVE-2024-7776 – onnx

Package

Manager: pip
Name: onnx
Vulnerable Version: >=0 <1.17.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00614 pctl0.68943

Details

Open Neural Network Exchange (ONNX) Path Traversal Vulnerability A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.

Metadata

Created: 2025-03-20T12:32:46Z
Modified: 2025-03-27T17:41:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-h36j-8vv3-cj52/GHSA-h36j-8vv3-cj52.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-h36j-8vv3-cj52
Finding: F063
Auto approve: 1