Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 17 pypi packages depend on onnx (9 direct, 8 indirect)
Ecosystem-wide dependent count for version 1.21.0.
DescriptionGitHub Advisory
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.
AnalysisAI
ONNX versions prior to 1.21.0 allow local attackers to read arbitrary files outside the model directory through symlink traversal during external data loading, requiring user interaction to load a malicious model file. The vulnerability has a CVSS score of 5.5 (medium severity) and is classified as information disclosure with confirmed patch availability in version 1.21.0.
Technical ContextAI
ONNX (Open Neural Network Exchange) is a machine learning model interchange format that supports external data storage. The vulnerability exists in the external data loading mechanism, which follows symlinks without proper validation (CWE-61: Improper Restriction of Rendered UI Layers or Frames). When processing ONNX model files, the implementation fails to restrict symlink traversal, allowing an attacker to craft a malicious model containing symlinks pointing to sensitive files outside the intended model directory. This affects local file access on systems where ONNX models are loaded, typically in machine learning frameworks and inference engines that consume ONNX format models.
RemediationAI
Vendor-released patch: ONNX version 1.21.0 and later. Update ONNX packages immediately to version 1.21.0 or newer through your package manager (pip install --upgrade onnx, or equivalent for your deployment method). For organizations unable to immediately patch, restrict external model loading to models from trusted sources only, validate model file integrity using cryptographic signatures before loading, and avoid loading ONNX models from user-uploaded sources or untrusted repositories. Additional mitigation includes running model inference in sandboxed environments with restricted filesystem access. Full details available in the GitHub security advisory at https://github.com/onnx/onnx/security/advisories/GHSA-p433-9wv8-28xj.
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17989
GHSA-p433-9wv8-28xj