CVE-2025-71005
📋 TL;DR
A floating point exception vulnerability in OneFlow's oneflow.view component allows attackers to crash the application via specially crafted input, causing denial of service. This affects systems running OneFlow v0.9.0 for machine learning operations.
💻 Affected Systems
- OneFlow
📦 What is this software?
Oneflow by Oneflow
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption where the OneFlow process crashes and becomes unavailable, potentially disrupting dependent machine learning pipelines and services.
Likely Case
Application crash requiring restart, causing temporary service interruption and potential data loss for in-progress operations.
If Mitigated
Minimal impact with proper input validation and monitoring that can quickly restart affected services.
🎯 Exploit Status
Exploitation requires crafting specific input to trigger the floating point exception. The GitHub issue suggests the vulnerability is known but no public exploit code is confirmed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://github.com/Oneflow-Inc/oneflow/issues/10654
Restart Required: Yes
Instructions:
1. Monitor the GitHub issue for official patch release. 2. Upgrade to patched version when available. 3. Restart all OneFlow services after patching.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for all data passed to oneflow.view operations to prevent malformed inputs.
Process Monitoring and Auto-restart
linuxConfigure monitoring to detect crashes and automatically restart OneFlow processes.
# Example using systemd (Linux)
sudo systemctl edit oneflow.service
Add: Restart=always
sudo systemctl daemon-reload
🧯 If You Can't Patch
- Implement network segmentation to isolate OneFlow instances from untrusted networks
- Deploy application-level firewalls or WAFs to filter suspicious inputs to OneFlow APIs
🔍 How to Verify
Check if Vulnerable:
Check if OneFlow version is 0.9.0 by examining package metadata or running: python -c "import oneflow; print(oneflow.__version__)"Check Version:
python -c "import oneflow; print('OneFlow version:', oneflow.__version__)"Verify Fix Applied:
After patching, verify version is greater than 0.9.0 and test oneflow.view operations with previously problematic inputs.📡 Detection & Monitoring
Log Indicators:
- Process crash logs mentioning floating point exception
- OneFlow service termination without normal shutdown
- Error messages containing 'FPE' or 'floating point'
Network Indicators:
- Unusual patterns of requests to oneflow.view endpoints followed by service unavailability
SIEM Query:
source="oneflow.logs" AND ("floating point exception" OR "FPE" OR "SIGFPE")