Summary
The requirements.txt currently pins onnx>=1.16.0,<=1.19.0, which prevents users from installing onnx 1.21.0 — the version that fixes CVE-2026-27489 (CVSS 8.7 HIGH, path traversal via symlink in external data loading).
CVE Details
Impact
Downstream projects that depend on Quark inherit the onnx<=1.19.0 constraint and cannot upgrade to the patched version. This leaves any ML pipeline using Quark exposed to the path traversal vulnerability when loading untrusted ONNX models.
Proposed Fix
Relax the upper bound in requirements.txt:
-onnx>=1.16.0,<=1.19.0
+onnx>=1.16.0,<=1.21.0
If there are known incompatibilities with onnx 1.20.x or 1.21.x, it would be helpful to document them so downstream users can make informed decisions.
Summary
The
requirements.txtcurrently pinsonnx>=1.16.0,<=1.19.0, which prevents users from installing onnx 1.21.0 — the version that fixes CVE-2026-27489 (CVSS 8.7 HIGH, path traversal via symlink in external data loading).CVE Details
Impact
Downstream projects that depend on Quark inherit the
onnx<=1.19.0constraint and cannot upgrade to the patched version. This leaves any ML pipeline using Quark exposed to the path traversal vulnerability when loading untrusted ONNX models.Proposed Fix
Relax the upper bound in
requirements.txt:If there are known incompatibilities with onnx 1.20.x or 1.21.x, it would be helpful to document them so downstream users can make informed decisions.