GHSA-538c-55jv-c5g9

Source

https://github.com/advisories/GHSA-538c-55jv-c5g9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-538c-55jv-c5g9/GHSA-538c-55jv-c5g9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-538c-55jv-c5g9

Aliases

CVE-2026-34445

Related

CGA-hjrq-x5p4-76xf

Published

2026-04-01T21:10:52Z

Modified

2026-04-04T00:14:20.465133958Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVSS Calculator

Summary

ONNX: Malicious ONNX models can crash servers by exploiting unprotected object settings.

Details

Summary

The ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. The problem? It didn’t check if the "keys" in the file were valid. Because it blindly trusted the file, an attacker could craft a malicious model that overwrites internal object properties.

Why its Dangerous

Instant Crash DoS: An attacker can set the length property to a massive number like 9 petabytes. When the system tries to load the model, it attempts to allocate all that RAM at once, causing the server to crash or freeze Out of Memory.

Access Bypass: By setting a negative offset -1, an attacker can trick the system into reading parts of a file it wasn't supposed to touch.

Object Corruption: Attackers can even inject "dunder" attributes like class to change the object's type entirely, which could lead to more complex exploits.

Fixed: https://github.com/onnx/onnx/pull/7751 object state corruption and DoS via ExternalDataInfo attribute injection

Database specific

{
    "nvd_published_at": "2026-04-01T18:16:30Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20",
        "CWE-400",
        "CWE-915"
    ],
    "github_reviewed_at": "2026-04-01T21:10:52Z"
}

References

Affected packages

PyPI / onnx

Package

Name: onnx; View open source insights on deps.dev
Purl: pkg:pypi/onnx

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.21.0

Affected versions

0.*

0.1

0.2

0.2.1

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.2.1

1.2.2

1.2.3

1.3.0

1.4.0

1.4.1

1.5.0

1.6.0

1.7.0

1.8.0

1.8.1

1.9.0

1.10.0

1.10.1

1.10.2

1.11.0

1.12.0

1.13.0

1.13.1

1.14.0

1.14.1

1.15.0

1.16.0

1.16.1

1.16.2

1.17.0

1.18.0

1.19.0

1.19.1rc1

1.19.1

1.20.0rc1

1.20.0rc2

1.20.0

1.20.1rc1

1.20.1

1.21.0rc1

1.21.0rc2

1.21.0rc3

1.21.0rc4

Database specific

last_known_affected_version_range

"<= 1.20.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-538c-55jv-c5g9/GHSA-538c-55jv-c5g9.json"