YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
OpenVINO Path Traversal PoC โ PATHTRV-VULN-01
Vulnerability
Incomplete sanitize_path() fix in ONNX external data loading at tensor_external_data.cpp:44-45.
The implementation at file_util.cpp:107-113 only strips leading /.\\ characters:
const auto start = sanitized_path.find_first_not_of("/.\\");
return sanitized_path.substr(start);
Internal ../ sequences are not handled. A location like workspace/../../../etc/passwd starts with w (not stripped), preserving the full traversal path.
PoC
An ONNX model with external data tensor location set to workspace/../../../etc/passwd.
When loaded via openvino.Core().read_model(), the sanitized path is joined with the model directory, resolving to /etc/passwd.
Reproduction
import openvino as ov
# Load ONNX model with traversal in external data location
core = ov.Core()
model = core.read_model("poc_traversal.onnx")
# OpenVINO attempts to read /etc/passwd as tensor data
Impact
Arbitrary file read when loading crafted ONNX models from untrusted sources.
CWE
CWE-22 (Path Traversal)
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N โ 6.5