ONNX Hub Vulnerability Allows Supply Chain Attacks on ML Model Loading

The onnx.hub.load() function in the ONNX Python library has a silent=True parameter that disables all trust verification warnings and user confirmation prompts, allowing models to be loaded silently from untrusted repositories. ONNX Hub’s integrity checks rely on SHA256 manifests fetched from the same repository hosting the models, meaning an attacker controlling the repository can manipulate both. This vulnerability affects all ONNX versions up to 1.20.1, with no patch currently available. The silent parameter is commonly used in production pipelines and CI/CD scripts, increasing the risk of unverified model loading.