GHSA-Q56X-G2FJ-4RJ6: CVE-2025-51480: Arbitrary File Write via Path Traversal in ONNX save_external_data

CVE-2025-51480: Arbitrary File Write via Path Traversal in ONNX save_external_data

Vulnerability ID: GHSA-Q56X-G2FJ-4RJ6
CVSS Score: 8.8
Published: 2026-04-01

The ONNX (Open Neural Network Exchange) Python library contains a high-severity path traversal vulnerability in the save_external_data function. Processing specially crafted ONNX models allows an attacker to write arbitrary files to the host filesystem, resulting in potential remote code execution or data corruption. The vulnerability also exposes a Time-of-Check Time-of-Use (TOCTOU) weakness during file operations.

TL;DR

A path traversal flaw in the ONNX library allows attackers to overwrite arbitrary files on the host system via manipulated tensor external data paths. Exploitation requires user interaction to process a malicious model but can lead to remote code execution.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-22, CWE-367
• Attack Vector: Network (Requires User Interaction)
• CVSS v3.1 Score: 8.8 (High)
• Vulnerability Type: Path Traversal
• Impact: Arbitrary File Write / RCE
• Exploit Status: Proof of Concept Available

Affected Systems

• ONNX Python Package (onnx on PyPI)
• Applications parsing untrusted ONNX models using the external data helper
• ONNX: < Patched versions (post PR #6959/#7040)

Exploit Details

• Gecko Security / Huntr: Python script generating a malicious ONNX file to overwrite arbitrary target files.

Mitigation Strategies

• Update the ONNX package to the latest version incorporating PRs #6959 and #7040.
• Implement application-level validation of TensorProto external_data fields to reject models with traversal sequences.
• Run ML model processing pipelines in isolated, unprivileged environments with read-only filesystems.
• Enforce strict filesystem quotas and permissions on the model workspace directory.

Remediation Steps:

1. Identify all Python projects and environments utilizing the onnx library.
2. Update the onnx dependency using package managers (e.g., pip install --upgrade onnx).
3. Validate the fix by executing test suites against known path traversal payloads in model locations.
4. Audit existing stored models for signs of malicious external_data location fields.

References

• GitHub Advisory: GHSA-Q56X-G2FJ-4RJ6
• NVD Entry for CVE-2025-51480
• Huntr Bounty Report
• Gecko Security Blog Post

---

Read the full report for GHSA-Q56X-G2FJ-4RJ6 on our website for more details including interactive diagrams and full exploit analysis.