Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 17 pypi packages depend on onnx (9 direct, 8 indirect)
Ecosystem-wide dependent count for version 1.21.0.
DescriptionGitHub Advisory
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
AnalysisAI
ONNX versions prior to 1.21.0 allow local attackers to read arbitrary files by exploiting a hardlink-based path traversal vulnerability in onnx.load(). The vulnerability bypasses existing symlink protections because hardlinks appear as regular files to filesystem checks. An attacker with local file system access can craft a malicious ONNX model file using hardlinks to access sensitive data outside the intended directory, requiring user interaction to load the crafted model. No public exploit code has been identified; EPSS score of 4.7 indicates low exploitation probability despite moderate CVSS impact.
Technical ContextAI
ONNX is a widely-adopted open standard for machine learning model serialization and interoperability, supported by major frameworks including Microsoft's ecosystem. The onnx.load() function contains a path traversal protection mechanism that explicitly checks for symbolic links (symlinks) before loading model files. However, this check fails to account for hardlinks, which are filesystem-level references that point directly to the inode of a file. Unlike symlinks (which are distinct filesystem objects), hardlinks are indistinguishable from regular files when inspected via standard filesystem APIs. The vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) occurs because the protection logic examines the file's appearance rather than its actual destination. A hardlink to a sensitive system file (e.g., /etc/passwd or private keys) appears as a normal file to the path validation code, allowing traversal out of the intended restricted directory scope.
RemediationAI
Vendor-released patch: ONNX 1.21.0 and later. Upgrade ONNX to version 1.21.0 or newer immediately. The fix is available at the official ONNX GitHub repository (https://github.com/onnx/onnx). Users unable to upgrade immediately should restrict local filesystem access to ONNX model files and disable user model loading from untrusted sources. Review access controls on directories containing sensitive files that could be targeted via hardlinks. The underlying fix (commit 4755f8053928dce18a61db8fec71b69c74f786cb) reinforces path traversal protections to account for hardlinks in addition to symlinks.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17987
GHSA-cmw6-hcpp-c6jp