CVE-2024-7776: A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1.16.1, allows
criticalvulnerability
security
Summary
CVE-2024-7776 is a vulnerability in the ONNX framework (a tool for machine learning models) version 1.16.1 and earlier, where the `download_model` function fails to properly block path traversal attacks (a technique where attackers use special file path sequences to access files outside the intended directory). An attacker could exploit this to overwrite files on a user's system, potentially leading to remote code execution (running malicious commands on the victim's computer).
Vulnerability Details
CVSS Score
9.1(critical)
EPSS (30-day exploit probability)
EPSS: 1.5%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityavailability
Affected Vendors
HuggingFace
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-7776
First tracked: February 15, 2026 at 08:44 PM
Classified by LLM (prompt v3) · confidence: 85%