MEDIUM 4.7

GHSA-cmw6-hcpp-c6jp

ONNX: Arbitrary File Read via ExternalData Hardlink Bypass in ONNX load

Details

### Summary The issue is in `onnx.load` — the code checks for symlinks to prevent path traversal, but completely misses hardlinks, which is the problem, since a hardlink looks exactly like a regular file on the filesystem.

### The Real Problem The validator in `onnx/checker.cc` only calls `is_symlink()` and never checks the inode or `st_nlink`, so a hardlink walks right through every security check without any issues.

### Impact Especially dangerous in AI supply chain scenarios like HuggingFace — a single malicious model is enough to silently steal secrets from the victim's machine without them noticing anything.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / onnx

Introduced in: 0 Fixed in: 1.21.0

Fix pip install --upgrade 'onnx>=1.21.0'

References

https://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-34446 [ADVISORY]
https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb [WEB]
https://github.com/onnx/onnx [PACKAGE]