Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 17 pypi packages depend on onnx (9 direct, 8 indirect)
Ecosystem-wide dependent count for version 1.21.0.
DescriptionGitHub Advisory
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
AnalysisAI
Arbitrary attribute injection in ONNX Python library (versions prior to 1.21.0) allows unauthenticated remote attackers to manipulate internal object properties by embedding malicious metadata in ONNX model files, resulting in potential information disclosure, data integrity violations, and high availability impact (CVSS 8.6). The vulnerability stems from unchecked use of Python's setattr() with externally-controlled keys during ExternalDataInfo deserialization. No public exploit code or CISA KEV listing identified at time of analysis, but proof-of-concept development is trivial given the straightforward nature of Python attribute manipulation. EPSS data not provided, but the unauthenticated network-accessible attack vector and low complexity suggest material risk for organizations processing untrusted ONNX models.
Technical ContextAI
ONNX is a widely-adopted open standard for representing machine learning models, enabling interoperability across frameworks like PyTorch, TensorFlow, and scikit-learn. The vulnerability resides in the ExternalDataInfo class, which handles metadata for externally stored tensor data (file paths, offsets, data lengths). The implementation used Python's setattr(object, key, value) to dynamically assign attributes based on key-value pairs parsed directly from the ONNX protobuf model file without validating whether these keys correspond to legitimate metadata fields. This represents a classic CWE-20 (Improper Input Validation) flaw where untrusted data controls object state. An attacker crafting a malicious .onnx file can inject arbitrary attribute names, potentially overwriting critical internal properties like __class__, __dict__, or application-specific control flow variables. The affected CPE (cpe:2.3:a:onnx:onnx) covers the Python onnx package prior to version 1.21.0, used in ML pipelines for model conversion, validation, and inference deployment.
RemediationAI
Organizations must upgrade the ONNX Python package to version 1.21.0 or later, which implements input validation for ExternalDataInfo attribute keys per the patch commit e30c6935d67cc3eca2fa284e37248e7c0036c46b available at https://github.com/onnx/onnx/commit/e30c6935d67cc3eca2fa284e37248e7c0036c46b. The fix is delivered through pull request 7751 (https://github.com/onnx/onnx/pull/7751) and restricts setattr() usage to a whitelist of legitimate metadata fields. For environments unable to immediately upgrade, implement strict input validation by scanning ONNX model files for unexpected metadata keys before deserialization, restrict model sources to trusted repositories with integrity verification, and deploy sandboxed execution environments with resource limits to contain potential availability impacts. Review the GitHub Security Advisory at https://github.com/onnx/onnx/security/advisories/GHSA-538c-55jv-c5g9 for additional vendor guidance on detection and migration strategies.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17985
GHSA-538c-55jv-c5g9