CVE-2024-36743 – This vulnerability in OneFlow v0.9.1 allows att... (How to Fix)

📋 TL;DR

This vulnerability in OneFlow v0.9.1 allows attackers to cause Denial of Service (DoS) by passing an empty array to the oneflow.dot function. The issue affects systems using OneFlow for machine learning operations, potentially disrupting services that rely on this library for tensor computations.

💻 Affected Systems

Products:

OneFlow-Inc. Oneflow

Versions: v0.9.1

Operating Systems: All platforms running Python with OneFlow

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the oneflow.dot function with empty arrays. Other tensor operations may not be impacted.

📦 What is this software?

Oneflow by Oneflow

View all CVEs affecting Oneflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for applications using OneFlow, leading to business disruption and potential data loss in processing pipelines.

🟠

Likely Case

Application crashes or hangs when processing specific tensor operations, requiring manual intervention to restore service.

🟢

If Mitigated

Minimal impact with proper input validation and error handling in place, though performance degradation may still occur.

🌐 Internet-Facing: MEDIUM - Exploitable if the vulnerable function is exposed through APIs or user inputs, but requires specific conditions.

🏢 Internal Only: MEDIUM - Internal applications using OneFlow for data processing could be disrupted, affecting downstream services.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to pass crafted input to the vulnerable function, which typically requires some level of access or API exposure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.9.2 or later

Vendor Advisory: https://github.com/Oneflow-Inc/oneflow

Restart Required: Yes

Instructions:

1. Check current OneFlow version: pip show oneflow
2. Upgrade to v0.9.2+: pip install --upgrade oneflow==0.9.2
3. Restart all services using OneFlow
4. Verify the fix by testing with empty arrays

🔧 Temporary Workarounds

Input Validation Wrapper

all

Add validation to check for empty arrays before calling oneflow.dot

def safe_dot(a, b):
    if a.size == 0 or b.size == 0:
        raise ValueError('Empty arrays not allowed')
    return oneflow.dot(a, b)

🧯 If You Can't Patch

Implement input validation to reject empty arrays before processing
Add exception handling and monitoring around oneflow.dot calls to detect and alert on crashes

🔍 How to Verify

Check if Vulnerable:

Test with: import oneflow; import numpy as np; try: oneflow.dot(oneflow.Tensor([]), oneflow.Tensor([])); print('VULNERABLE') except: print('NOT VULNERABLE')

Check Version:

python -c "import oneflow; print(oneflow.__version__)"

Verify Fix Applied:

After patching, run the same test - it should raise a proper error instead of causing DoS

📡 Detection & Monitoring

Log Indicators:

Application crashes or hangs when processing tensor operations
Error logs containing stack traces from oneflow.dot calls
Increased memory usage followed by process termination

Network Indicators:

Sudden drop in API response rates for services using OneFlow
Increased timeout errors from dependent services

SIEM Query:

source='application.logs' AND ("oneflow.dot" OR "tensor processing") AND ("crash" OR "hang" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2024-36743

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-129

Published: June 6, 2024

Last Updated: May 2, 2025

🔗 References

https://gist.github.com/Redmept1on/64aa53d37e99975725a7d3e2dc9d9761 Broken Link
https://gist.github.com/Redmept1on/64aa53d37e99975725a7d3e2dc9d9761 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36743, you might also want to check these: