CVE-2025-71001 – A segmentation violation vulnerability in OneFl... (How to Fix)

Q: What is the severity of CVE-2025-71001?

CVE-2025-71001 has a CVSS score of 6.5 (MEDIUM). A segmentation violation vulnerability in OneFlow's flow.column_stack component allows attackers to cause Denial of Service (DoS) through crafted input. This affects OneFlow v0.9.0 users who process untrusted data with the vulnerable function. The vulnerability can crash the application, disrupting services.

📋 TL;DR

A segmentation violation vulnerability in OneFlow's flow.column_stack component allows attackers to cause Denial of Service (DoS) through crafted input. This affects OneFlow v0.9.0 users who process untrusted data with the vulnerable function. The vulnerability can crash the application, disrupting services.

💻 Affected Systems

Products:

OneFlow

Versions: v0.9.0

Operating Systems: All platforms running OneFlow

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the flow.column_stack function with untrusted input.

📦 What is this software?

Oneflow by Oneflow

View all CVEs affecting Oneflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through application crashes, potentially affecting dependent systems and causing extended downtime.

🟠

Likely Case

Intermittent application crashes when processing malicious inputs, leading to partial service degradation.

🟢

If Mitigated

Minimal impact with proper input validation and error handling in place.

🌐 Internet-Facing: MEDIUM - Exploitable if the vulnerable component processes external inputs, but requires specific conditions.

🏢 Internal Only: LOW - Lower risk if only trusted internal data is processed.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted input to the vulnerable function, which is straightforward for attackers with access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/Oneflow-Inc/oneflow/issues/10658

Restart Required: Yes

Instructions:

1. Monitor the GitHub issue for patches. 2. Upgrade to a fixed version when available. 3. Restart affected services after patching.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for flow.column_stack inputs to reject malformed data.

Error Handling

all

Add robust error handling around flow.column_stack calls to prevent crashes from propagating.

🧯 If You Can't Patch

Restrict access to systems using flow.column_stack to trusted users only.
Implement network segmentation to isolate vulnerable systems from untrusted networks.

🔍 How to Verify

Check if Vulnerable:

Check if OneFlow version is 0.9.0 and if flow.column_stack is used in your codebase.

Check Version:

python -c "import oneflow; print(oneflow.__version__)"

Verify Fix Applied:

Verify the OneFlow version is updated beyond 0.9.0 when a patch is released.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors
Application crash logs
Unexpected termination of OneFlow processes

Network Indicators:

Unusual input patterns to services using flow.column_stack

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "crash" OR "SIGSEGV") AND process="oneflow"

📊 Metadata

CVE ID: CVE-2025-71001

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-125

EPSS Score: 0.04% exploit probability (13th percentile)

Published: January 28, 2026

Last Updated: February 3, 2026

🔗 References

http://oneflow.com Product
https://github.com/Daisy2ang Not Applicable
https://github.com/Oneflow-Inc/oneflow/issues/10658 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-71001, you might also want to check these: