GHSA-cmw6-hcpp-c6jp — medium GitHub Advisory (CVE-2026-34446) in pip/onnx

描述

Summary

The issue is in onnx.load — the code checks for symlinks to prevent path traversal, but completely misses hardlinks, which is the problem, since a hardlink looks exactly like a regular file on the filesystem.

The Real Problem

The validator in onnx/checker.cc only calls is_symlink() and never checks the inode or st_nlink, so a hardlink walks right through every security check without any issues.

Impact

Especially dangerous in AI supply chain scenarios like HuggingFace — a single malicious model is enough to silently steal secrets from the victim's machine without them noticing anything.

基本信息

类型: reviewed
严重度: medium
GitHub 上的公告: 打开公告 ↗
仓库公告: 打开仓库公告 ↗
源代码: 浏览源码 ↗
公开（公告）: 2026-04-01 21:13:37 UTC
更新时间: 2026-04-01 21:13:39 UTC
GitHub 审核: 2026-04-01 21:13:37 UTC
NVD 公开: 2026-04-01 18:16:30 UTC

Score	Percentile
0.01%	1.10%

CVSS Scores

Base score	Version	Severity	Vector
4.7	3.1	—	`CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N` 点击展开攻击向量 (AV:L) 需要先拿到目标主机上的执行面，或依赖其他用户误操作／恶意操作来触发。攻击复杂度 (AC:H) 即便网络可达，也常要卡窗口、凑负载或特定版本组合才打得响。权限要求 (PR:N) 不必事先登录或提权，匿名会话也可能成为跳板。用户交互 (UI:R) 需要一次明确的用户动作（安装、改配置、打开恶意文档等）才会落地。作用域 (S:U) 破坏局限在脆弱组件原本的安全权限与信任域之内。机密性影响 (C:H) 批量读取、导出或长期潜伏窃取机密数据，在实战上成立。完整性影响 (I:N) 对记录真实性与不可否认性的破坏可忽略。可用性影响 (A:N) 不至于造成业务意义上的长时间停摆或灾难性性能崩塌。

Identifiers

Type	Value
GHSA	GHSA-cmw6-hcpp-c6jp ↗
CVE	CVE-2026-34446 ↗

CWEs

CWE id	Name
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-61	UNIX Symbolic Link (Symlink) Following

Credits

ZeroXJacks (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
pip	onnx	<= 1.20.1	1.21.0	—

ONNX: Arbitrary File Read via ExternalData Hardlink Bypass in ONNX load

描述