Homepage

Directory Traversal Affecting onnx package, versions <1.16.2-1

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Directory Traversal vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN13-ONNX-9509326
  • published22 Mar 2025
  • disclosed20 Mar 2025
Report a new vulnerability Found a mistake?

Introduced: 20 Mar 2025

NewCVE-2024-7776  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade Debian:13 onnx to version 1.16.2-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream onnx package and not the onnx package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability in the download_model function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.