AI Threat Alert

CVE-2024-7776

GHSA-h36j-8vv3-cj52 HIGH
Published March 20, 2025

A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal...

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package Ecosystem Vulnerable Range Patched
onnx pip < 1.17.0 1.17.0

Do you use onnx? You're affected.

Severity & Risk

CVSS 3.1
8.1 / 10
EPSS
1.5%
chance of exploitation in 30 days
KEV Status
Not in KEV
Sophistication
N/A

Recommended Action

Patch available

Update onnx to version 1.17.0

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

References

Timeline

Published
March 20, 2025
Last Modified
March 27, 2025
First Seen
March 24, 2026
Back to Threat Feed