Login Sign Up

CVE-2025-63397

6.5 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in OneFlow v0.9.0 allows attackers to trigger a segmentation fault through improper input validation during broadcasting and type conversion operations. Attackers can exploit this by passing specially crafted Python sequences to the native code. This affects any system running the vulnerable version of OneFlow.

💻 Affected Systems

Products:
  • OneFlow
Versions: v0.9.0
Operating Systems: All platforms running Python with OneFlow
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using the vulnerable broadcasting/type conversion functionality with untrusted input.

📦 What is this software?

Oneflow by Oneflow

View all CVEs affecting Oneflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service causing application crashes and potential data corruption in systems using OneFlow for critical operations.

🟠

Likely Case

Application instability and crashes when processing malicious or malformed input sequences.

🟢

If Mitigated

Minimal impact if input validation is performed externally before reaching OneFlow functions.

🌐 Internet-Facing: MEDIUM - Exploitable if OneFlow processes untrusted input from external sources.
🏢 Internal Only: LOW - Lower risk if only processing trusted internal data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires ability to pass malicious Python sequences to OneFlow's broadcasting/type conversion functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue #10666 for latest patched version

Vendor Advisory: https://github.com/Oneflow-Inc/oneflow/issues/10666

Restart Required: Yes

Instructions:

1. Check the GitHub issue #10666 for patch availability
2. Update OneFlow to the latest patched version
3. Restart any services using OneFlow
4. Test broadcasting/type conversion functionality

🔧 Temporary Workarounds

Input Validation Wrapper

all

Implement input validation before passing sequences to OneFlow broadcasting/type conversion functions

# Python example: Validate input before OneFlow processing
def validate_sequence(input_seq):
    # Add custom validation logic
    if not isinstance(input_seq, (list, tuple)):
        raise ValueError('Invalid sequence type')
    # Additional validation as needed
    return True

🧯 If You Can't Patch

  • Implement strict input validation for all data passed to OneFlow broadcasting functions
  • Isolate OneFlow processing to trusted environments only

🔍 How to Verify

Check if Vulnerable:

Check if running OneFlow v0.9.0 and test with malformed sequences in broadcasting operations

Check Version:

python -c "import oneflow; print(oneflow.__version__)"

Verify Fix Applied:

Test with previously crashing sequences after update to confirm no segmentation faults

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault errors in application logs
  • OneFlow process crashes
  • Python core dumps

Network Indicators:

  • Unusual sequence patterns sent to OneFlow endpoints

SIEM Query:

source='application.logs' AND ("segmentation fault" OR "core dumped") AND process="python"

📊 Metadata

CVE ID: CVE-2025-63397
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CWE: CWE-20
EPSS Score: 0.11% exploit probability (29.1th percentile)
Published: November 10, 2025
Last Updated: December 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63397, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)