CVE-2024-36734 – This vulnerability in OneFlow v0.9.1 allows att... (How to Fix)

Q: What is the severity of CVE-2024-36734?

CVE-2024-36734 has a CVSS score of 7.5 (HIGH). This vulnerability in OneFlow v0.9.1 allows attackers to cause Denial of Service (DoS) by sending negative values to the dim parameter. The improper input validation enables crashing or freezing of the affected service. Users running vulnerable versions of OneFlow are affected.

📋 TL;DR

This vulnerability in OneFlow v0.9.1 allows attackers to cause Denial of Service (DoS) by sending negative values to the dim parameter. The improper input validation enables crashing or freezing of the affected service. Users running vulnerable versions of OneFlow are affected.

💻 Affected Systems

Products:

OneFlow-Inc. Oneflow

Versions: v0.9.1

Operating Systems: All platforms running OneFlow

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using the vulnerable dim parameter functionality is affected.

📦 What is this software?

Oneflow by Oneflow

View all CVEs affecting Oneflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability requiring restart or recovery procedures, potentially disrupting dependent applications.

🟠

Likely Case

Service crashes or becomes unresponsive, requiring manual intervention to restore functionality.

🟢

If Mitigated

Minimal impact with proper input validation and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple exploitation requiring only sending negative values to the vulnerable parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.9.2 or later

Vendor Advisory: https://github.com/Oneflow-Inc/oneflow

Restart Required: Yes

Instructions:

1. Check current version with 'pip show oneflow'. 2. Upgrade using 'pip install --upgrade oneflow>=0.9.2'. 3. Restart all OneFlow services.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation to reject negative values for dim parameter

# Add validation in code before processing dim parameter
# Example: if dim < 0: raise ValueError('dim must be non-negative')

🧯 If You Can't Patch

Implement network-level filtering to block requests with negative parameter values
Deploy rate limiting and monitoring to detect DoS attempts

🔍 How to Verify

Check if Vulnerable:

Check if running OneFlow v0.9.1 with 'pip show oneflow' or 'python -c "import oneflow; print(oneflow.__version__)"'

Check Version:

python -c "import oneflow; print(oneflow.__version__)"

Verify Fix Applied:

Confirm version is v0.9.2 or higher and test with negative dim values to ensure proper error handling

📡 Detection & Monitoring

Log Indicators:

Error logs containing 'dim' parameter with negative values
Service crash/restart logs
Unusual parameter values in request logs

Network Indicators:

HTTP requests with negative parameter values
Increased error response rates

SIEM Query:

source="*oneflow*" AND ("dim=-*" OR "negative dim" OR "service crash")

📊 Metadata

CVE ID: CVE-2024-36734

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: June 6, 2024

Last Updated: May 2, 2025

🔗 References

https://gist.github.com/Redmept1on/7420cd59f30defda07cf7bb4bf4a92cd Broken Link
https://gist.github.com/Redmept1on/7420cd59f30defda07cf7bb4bf4a92cd Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36734, you might also want to check these: