CVE-2025-51480: Arbitrary File Write via Path Traversal in ONNX save_external_data

The Open Neural Network Exchange (ONNX) format is an open standard designed for machine learning interoperability. It allows developers to move models between various machine learning frameworks. The ONNX Python library provides utilities to create, modify, and serialize these models. A critical component of this process is handling large tensor data, which is often stored outside the primary .onnx protobuf file to manage file size constraints.

CVE-2025-51480 represents a path traversal vulnerability (CWE-22) located within the onnx.external_data_helper.save_external_data function. This function is responsible for writing tensor data to the filesystem based on paths specified within the model's metadata. The implementation fails to adequately sanitize these user-supplied paths before performing filesystem operations.

By supplying an ONNX model with manipulated location values in its TensorProto structures, an attacker can coerce the library into writing file data outside the intended workspace directory. The vulnerability requires the victim to process an untrusted model, mapping to a high-severity CVSS score due to the severe impact on file integrity and system confidentiality.

The root cause of CVE-2025-51480 is the improper neutralization of special elements within file paths constructed from user-controlled input. In the ONNX specification, a TensorProto message can store data externally by utilizing the external_data field. This field contains key-value pairs, where the location key dictates the relative path to the data file on disk.

The onnx.external_data_helper.save_external_data function processes these keys and extracts the location string. The vulnerability manifests when the function constructs the final destination path. It executes an os.path.join(basepath, entry.value) operation, merging the intended workspace directory (basepath) with the user-supplied string (entry.value).

The Python os.path.join function evaluates path traversal sequences such as ../. If the entry.value contains extensive traversal sequences (e.g., ../../../../etc/passwd), the resulting path escapes the intended basepath. Furthermore, the vulnerability context identifies a Time-of-Check Time-of-Use (TOCTOU) weakness (CWE-367). Even if basic prefix validation occurs, an attacker with local access could swap directory symlinks between the validation phase and the file write phase, bypassing the intended safety boundaries.

The vulnerable logic resides in the iteration over the external_data entries within a tensor definition. The code extracts the location string and directly applies it to the base path without canonicalization.

# Vulnerable implementation concept
def save_external_data(tensor, basepath):
    for entry in tensor.external_data:
        if entry.key == "location":
            # Flaw: entry.value is entirely user-controlled and unvalidated
            external_data_file_path = os.path.join(basepath, entry.value)
            
            # Flaw: The file is opened for writing at the traversed path
            with open(external_data_file_path, "wb") as f:
                f.write(tensor.raw_data)

The patch introduced in ONNX Pull Requests #6959 and #7040 addresses this by implementing rigorous path canonicalization and boundary checking. The corrected implementation utilizes os.path.abspath to resolve the full intended path and verifies that the resulting string is strictly a subdirectory of the canonicalized basepath.

# Patched implementation concept
def save_external_data(tensor, basepath):
    canonical_base = os.path.abspath(basepath)
    for entry in tensor.external_data:
        if entry.key == "location":
            target_path = os.path.join(canonical_base, entry.value)
            canonical_target = os.path.abspath(target_path)
            
            # Fix: Ensure the canonical target resides within the canonical base
            if not canonical_target.startswith(canonical_base + os.sep):
                raise ValueError("Path traversal detected in external_data location")
                
            with open(canonical_target, "wb") as f:
                f.write(tensor.raw_data)

This modification ensures that regardless of the presence of ../ sequences or absolute paths in the entry.value, the final output directory is strictly confined. Additional file status checks are incorporated to mitigate the TOCTOU symlink race conditions, ensuring the file path is securely resolved before the open operation.

Exploitation of CVE-2025-51480 requires a target application that processes untrusted ONNX models and invokes the save_external_data function. This scenario is common in machine learning pipelines, model transformation services, or ML observability platforms that parse and rewrite model definitions.

The attacker crafts a malicious ONNX model programmatically using the ONNX Python API. They instantiate a TensorProto object and populate its raw_data attribute with the malicious payload they intend to write to the victim's filesystem. They then append an external_data entry where the key is location and the value contains the path traversal payload.

# Malicious TensorProto construction
model = TensorProto()
model.raw_data = b"ssh-rsa AAAAB3NzaC1yc... attacker@domain\n"
 
location = model.external_data.add()
location.key = "location"
# Traverse out of the workspace to target the user's SSH keys
location.value = "../../../../../../../../home/user/.ssh/authorized_keys"

When the victim application receives this model and executes save_external_data(tensor=model, base_path="/tmp/model_workspace"), the Python interpreter evaluates the traversal payload. The os.path.join call generates the escaped path, and the open function subsequently truncates and overwrites the targeted authorized_keys file with the attacker's payload.

The direct impact of this vulnerability is arbitrary file overwrite (AFW) and arbitrary file read (AFR) depending on the specific application context. When the vulnerable function writes tensor data, an attacker can overwrite critical system configuration files, application source code, or initialization scripts.

Overwriting files such as ~/.ssh/authorized_keys, ~/.bashrc, or system cron jobs escalates the vulnerability directly to unauthenticated Remote Code Execution (RCE). The attacker achieves the privileges of the system user executing the ONNX model processing pipeline. In containerized environments, this often results in full container compromise, leading to subsequent lateral movement within the cluster.

The vulnerability holds a CVSS v3.1 base score of 8.8 (High). The User Interaction (UI) metric is assessed as Required, as the victim must manually process or automate the processing of the provided file. The Confidentiality, Integrity, and Availability metrics are all assessed as High due to the comprehensive system compromise possible via arbitrary file overwriting.

The primary remediation for CVE-2025-51480 is updating the ONNX library to a patched version incorporating Pull Requests #6959 and #7040. Organizations should audit their dependency manifests (e.g., requirements.txt, Pipfile) to ensure onnx is upgraded beyond the affected versions.

For systems where immediate patching is unfeasible, developers must implement strict validation on incoming ONNX models. Applications should parse the model definition in memory and verify the location keys of all external_data entries within TensorProto structures before invoking any saving mechanisms. Rejecting models containing ../ sequences or absolute paths in these fields mitigates the immediate attack vector.

Security engineers should also enforce the principle of least privilege on machine learning pipelines. Executing model parsing and transformation tasks within heavily restricted sandboxes or containers with read-only root filesystems limits the attacker's ability to achieve meaningful system compromise. Removing write access to critical configuration directories effectively neutralizes the severe RCE impacts of the arbitrary file write.