8.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2024-7776

GHSA ID

GHSA-h36j-8vv3-cj52

EPSS Score

0.68974%

CWE

CWE-22

Published

3/20/2025

Updated

3/21/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-7776

CVE-2024-7776: Open Neural Network Exchange (ONNX) Path Traversal Vulnerability

A vulnerability in the download_model function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-7776

CVE-2024-7776:

8.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2024-7776

GHSA ID

GHSA-h36j-8vv3-cj52

EPSS Score

0.68974%

CWE

CWE-22

Published

3/20/2025

Updated

3/21/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
onnx	pip

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure tar file extraction patterns. The commit diff shows:

In onnx/backend/test/runner/__init__.py, the original tarfile.open().extractall() was replaced with _extract_model_safe, indicating the former lacked path traversal checks.
In onnx/hub.py, the removal of the _tar_members_filter function and replacement with _extract_model_safe suggests the original filter was either incomplete or improperly applied. Both functions handled model downloads/extractions and were directly modified in the security patch to address CWE-22.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-7776: Open Neural Network Exchange (ONNX) Path Traversal Vulnerability

CVE-2024-7776:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

8.1

8.1

CVE-2024-7776: Open Neural Network Exchange (ONNX) Path Traversal Vulnerability

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI