# ONNX implicit-CWD external-data read PoC This PoC is intentionally narrow and matches the verified behavior on built `onnx 1.22.0`. What it shows: - a malicious ONNX model stored only as raw bytes can carry a `Constant` tensor whose data is marked as external - `onnx.numpy_helper.to_array()` will auto-load that external tensor even when no trusted base directory was provided - `onnx.reference.ReferenceEvaluator(model_bytes)` reaches the same sink automatically and returns the local file bytes as model output What it does not show: - arbitrary path traversal outside the current working directory - code execution ## Files - `repro.py`: creates a temporary working directory, places a local secret file there, builds a malicious ONNX model, and demonstrates both public exploit paths ## Verified Runtime - `onnx 1.22.0` ## Example ```bash PYTHONPATH=/mnt/data/huntr/.pydeps-onnx \ /home/thun/.cache/codex-runtimes/codex-primary-runtime/dependencies/python/bin/python3 \ repro.py ```