Platform
python
Component
onnx
Fixed in
1.17.0
CVE-2024-7776 is a Path Traversal vulnerability discovered in the download_model function of the onnx framework. This flaw allows attackers to overwrite files within a user's directory by crafting malicious tar archives. The vulnerability affects versions before and including 1.16.1, and a fix is available in version 1.17.0.
An attacker exploiting CVE-2024-7776 can leverage path traversal techniques to overwrite arbitrary files within the user's directory where the onnx framework is installed. This could involve overwriting critical configuration files, executables, or even system binaries. Successful exploitation could lead to remote command execution, allowing the attacker to gain control of the affected system. The blast radius extends to any system running vulnerable versions of the onnx framework and accessible to a malicious actor capable of providing a crafted tar file.
CVE-2024-7776 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it likely that exploits will emerge. The CVSS score of 8.1 (HIGH) indicates a significant risk, and the potential for remote command execution warrants immediate attention. The vulnerability was publicly disclosed on 2025-03-20.
Exploit Status
EPSS
1.47% (81% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-7776 is to upgrade to version 1.17.0 or later of the onnx framework. If upgrading is not immediately feasible, consider implementing input validation on the download_model function to sanitize file paths and prevent path traversal attempts. Additionally, restrict write access to the user's directory where the onnx framework is installed. Monitor system logs for suspicious file modification activity, particularly within the user's directory. After upgrading, confirm the fix by attempting to download a model with a specially crafted tar file containing path traversal sequences; the download should fail with an appropriate error.
Actualice la biblioteca onnx a una versión posterior a la 1.16.1. Esto se puede hacer usando el gestor de paquetes pip: `pip install --upgrade onnx`. Asegúrese de verificar que la actualización se haya realizado correctamente y que la versión instalada sea la correcta.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-7776 is a Path Traversal vulnerability in the onnx framework's download_model function, allowing attackers to overwrite files via malicious tar archives.
You are affected if you are using onnx versions less than or equal to 1.9.0. Check your installed version and upgrade if necessary.
Upgrade to version 1.17.0 or later of the onnx framework. If immediate upgrade is not possible, implement input validation and restrict write access.
While no widespread exploitation has been confirmed, the vulnerability's nature and high CVSS score suggest potential for exploitation. Monitor your systems closely.
Refer to the onnx project's security advisories and release notes for details: [https://github.com/onnx/onnx/security/advisories](https://github.com/onnx/onnx/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.