GHSA-cmw6-hcpp-c6jp — medium GitHub Advisory (CVE-2026-34446) in pip/onnx

描述

Summary

The issue is in onnx.load — the code checks for symlinks to prevent path traversal, but completely misses hardlinks, which is the problem, since a hardlink looks exactly like a regular file on the filesystem.

The Real Problem

The validator in onnx/checker.cc only calls is_symlink() and never checks the inode or st_nlink, so a hardlink walks right through every security check without any issues.

Impact

Especially dangerous in AI supply chain scenarios like HuggingFace — a single malicious model is enough to silently steal secrets from the victim's machine without them noticing anything.

基本資訊

類型: reviewed
嚴重度: medium
GitHub 上的公告: 開啟公告 ↗
儲存庫公告: 開啟儲存庫公告 ↗
原始碼: 瀏覽原始碼 ↗
公開（公告）: 2026-04-01 21:13:37 UTC
更新時間: 2026-04-01 21:13:39 UTC
GitHub 審核: 2026-04-01 21:13:37 UTC
NVD 公開: 2026-04-01 18:16:30 UTC

Score	Percentile
0.01%	1.10%

CVSS Scores

Base score	Version	Severity	Vector
4.7	3.1	—	`CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N` 點擊展開攻擊向量 (AV:L) 需先取得主機上的執行面，或仰賴其他使用者誤操作／惡意操作才會觸發。攻擊複雜度 (AC:H) 即使網路可達，也常要卡時間窗、負載或特定版本組合才打得響。權限需求 (PR:N) 不必事先登入或提權，匿名工作階段也可能成為跳板。使用者互動 (UI:R) 需要一次明確的使用者動作（安裝、改設定、開啟惡意文件等）才會落地。作用域 (S:U) 破壞局限在脆弱元件原本的安全權限與信任域之內。機密性影響 (C:H) 大量讀取、匯出或長期潛伏竊取機敏資料，在實務上成立。完整性影響 (I:N) 對紀錄真實性與不可否認性的破壞可忽略。可用性影響 (A:N) 不至於造成業務意義上的長時間停擺或災難性效能崩塌。

Identifiers

Type	Value
GHSA	GHSA-cmw6-hcpp-c6jp ↗
CVE	CVE-2026-34446 ↗

CWEs

CWE id	Name
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-61	UNIX Symbolic Link (Symlink) Following

Credits

ZeroXJacks (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
pip	onnx	<= 1.20.1	1.21.0	—

ONNX: Arbitrary File Read via ExternalData Hardlink Bypass in ONNX load

描述