Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-63397

CVE-2025-63397: Oneflow Buffer Overflow Vulnerability

CVE-2025-63397 is a buffer overflow vulnerability in Oneflow v0.9.0 caused by improper input validation during broadcasting. Attackers can trigger a segmentation fault. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-63397 Overview

CVE-2025-63397 is an improper input validation vulnerability in OneFlow v0.9.0, an open-source deep learning framework. Attackers can trigger a segmentation fault by adding a Python sequence to the native code during broadcasting or type conversion operations. The flaw is categorized under [CWE-20] Improper Input Validation and impacts application availability. The vulnerability is network-accessible and requires no authentication or user interaction.

Critical Impact

Attackers can crash OneFlow processes by supplying malformed Python sequences during tensor broadcasting or type conversion, producing a segmentation fault in native code.

Affected Products

  • OneFlow v0.9.0
  • CPE: cpe:2.3:a:oneflow:oneflow:0.9.0
  • Component: oneflow:oneflow

Discovery Timeline

  • 2025-11-10 - CVE-2025-63397 published to NVD
  • 2026-07-05 - Last updated in NVD database

Technical Details for CVE-2025-63397

Vulnerability Analysis

The vulnerability resides in OneFlow's Python-to-native boundary handling. When a Python sequence is passed to native code during broadcasting or type conversion, the runtime fails to validate the input structure before dereferencing it. This leads to a segmentation fault in the native layer.

The issue affects availability of the OneFlow process. Confidentiality impact is low and integrity is unaffected, according to the CVSS vector. The flaw is reachable through normal framework API usage that accepts arbitrary Python objects.

Root Cause

The root cause is missing input validation on Python sequence objects handed to native C++ routines that perform tensor broadcasting and type conversion. The native code assumes well-formed input and does not verify sequence type, length, or element compatibility before accessing memory. Malformed or unexpected sequences trigger invalid memory access.

Attack Vector

An attacker crafts a Python sequence and passes it to OneFlow tensor operations that internally invoke broadcasting or type conversion. The malformed input reaches native code that dereferences it without validation, crashing the interpreter process. Refer to the Oneflow GitHub Issue #10666 for the reproduction case reported by the researcher.

No verified public exploit code is available. See the Oneflow GitHub Repository and the reporter profile at Daisy2ang on GitHub for additional context.

Detection Methods for CVE-2025-63397

Indicators of Compromise

  • Unexpected termination of Python processes running OneFlow with SIGSEGV exit codes.
  • Core dump files generated by OneFlow worker processes during model training or inference.
  • Repeated crash restarts of OneFlow-based services correlated with untrusted input processing.

Detection Strategies

  • Monitor OneFlow process exit codes and stack traces for segmentation faults originating in broadcasting or type conversion functions.
  • Inspect application logs for Python tracebacks that terminate before completion during tensor operations.
  • Audit code paths where user-supplied data reaches OneFlow tensor constructors or arithmetic APIs.

Monitoring Recommendations

  • Enable core dump collection on hosts running OneFlow to capture crash artifacts for analysis.
  • Instrument ML pipelines with process supervisors that alert on abnormal termination.
  • Track version inventory to identify hosts still running OneFlow v0.9.0.

How to Mitigate CVE-2025-63397

Immediate Actions Required

  • Inventory all systems running OneFlow v0.9.0 and restrict exposure to untrusted input.
  • Validate and sanitize any Python sequences before passing them to OneFlow tensor APIs.
  • Isolate OneFlow workloads that process external data behind authenticated interfaces.

Patch Information

No fixed version is listed in the NVD entry at the time of publication. Track the Oneflow GitHub Issue #10666 and the Oneflow GitHub Repository for upstream fixes and release notes.

Workarounds

  • Wrap OneFlow tensor operations in application-level try/except handlers to prevent full process termination in supervised environments.
  • Enforce strict type and shape validation on inputs before invoking broadcasting or type conversion.
  • Run OneFlow inference and training processes under a process manager that restarts on crash to reduce availability impact.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.