The vulnerability resides in the onnx.load function of the ONNX library. The implementation checks for symbolic links to prevent path traversal but fails to detect hardlinks, which are indistinguishable from regular files on a file system. This omission allows an attacker to create a hardlink that points to a sensitive file; when the ONNX loader processes a crafted model, it will inadvertently read the contents of the linked file. The result is the disclosure of any file on the host that the application process has read permissions for, exposing confidential information but not directly executing code.

All installations of the ONNX library older than version 1.21.0 are affected. The issue exists in the open‑source onnx:onnx project, which is used by a variety of machine‑learning applications. No specific third‑party vendors beyond the core ONNX repository are listed, but any system that incorporates the vulnerable ONNX code base is at risk.

The CVSS score of 4.7 indicates a moderate severity, while the EPSS score of less than 1% suggests low exploitation probability. The vulnerability is not currently listed in CISA’s KEV catalog. The attack is likely local or requires an attacker to supply a malicious ONNX file to the application; no remote execution pathway is documented. Because it only provides file read capability, the confidentiality impact is significant but the risk of further compromise is limited unless the attacker has additional privileges or the application processes the leaked data elsewhere.