CVE-2025-63397 Overview
CVE-2025-63397 is an improper input validation vulnerability in OneFlow v0.9.0, an open-source deep learning framework. Attackers can trigger a segmentation fault by adding a Python sequence to the native code during broadcasting or type conversion operations. The flaw is categorized under [CWE-20] Improper Input Validation and impacts application availability. The vulnerability is network-accessible and requires no authentication or user interaction.
Critical Impact
Attackers can crash OneFlow processes by supplying malformed Python sequences during tensor broadcasting or type conversion, producing a segmentation fault in native code.
Affected Products
- OneFlow v0.9.0
- CPE: cpe:2.3:a:oneflow:oneflow:0.9.0
- Component: oneflow:oneflow
Discovery Timeline
- 2025-11-10 - CVE-2025-63397 published to NVD
- 2026-07-05 - Last updated in NVD database
Technical Details for CVE-2025-63397
Vulnerability Analysis
The vulnerability resides in OneFlow's Python-to-native boundary handling. When a Python sequence is passed to native code during broadcasting or type conversion, the runtime fails to validate the input structure before dereferencing it. This leads to a segmentation fault in the native layer.
The issue affects availability of the OneFlow process. Confidentiality impact is low and integrity is unaffected, according to the CVSS vector. The flaw is reachable through normal framework API usage that accepts arbitrary Python objects.
Root Cause
The root cause is missing input validation on Python sequence objects handed to native C++ routines that perform tensor broadcasting and type conversion. The native code assumes well-formed input and does not verify sequence type, length, or element compatibility before accessing memory. Malformed or unexpected sequences trigger invalid memory access.
Attack Vector
An attacker crafts a Python sequence and passes it to OneFlow tensor operations that internally invoke broadcasting or type conversion. The malformed input reaches native code that dereferences it without validation, crashing the interpreter process. Refer to the Oneflow GitHub Issue #10666 for the reproduction case reported by the researcher.
No verified public exploit code is available. See the Oneflow GitHub Repository and the reporter profile at Daisy2ang on GitHub for additional context.
Detection Methods for CVE-2025-63397
Indicators of Compromise
- Unexpected termination of Python processes running OneFlow with SIGSEGV exit codes.
- Core dump files generated by OneFlow worker processes during model training or inference.
- Repeated crash restarts of OneFlow-based services correlated with untrusted input processing.
Detection Strategies
- Monitor OneFlow process exit codes and stack traces for segmentation faults originating in broadcasting or type conversion functions.
- Inspect application logs for Python tracebacks that terminate before completion during tensor operations.
- Audit code paths where user-supplied data reaches OneFlow tensor constructors or arithmetic APIs.
Monitoring Recommendations
- Enable core dump collection on hosts running OneFlow to capture crash artifacts for analysis.
- Instrument ML pipelines with process supervisors that alert on abnormal termination.
- Track version inventory to identify hosts still running OneFlow v0.9.0.
How to Mitigate CVE-2025-63397
Immediate Actions Required
- Inventory all systems running OneFlow v0.9.0 and restrict exposure to untrusted input.
- Validate and sanitize any Python sequences before passing them to OneFlow tensor APIs.
- Isolate OneFlow workloads that process external data behind authenticated interfaces.
Patch Information
No fixed version is listed in the NVD entry at the time of publication. Track the Oneflow GitHub Issue #10666 and the Oneflow GitHub Repository for upstream fixes and release notes.
Workarounds
- Wrap OneFlow tensor operations in application-level try/except handlers to prevent full process termination in supervised environments.
- Enforce strict type and shape validation on inputs before invoking broadcasting or type conversion.
- Run OneFlow inference and training processes under a process manager that restarts on crash to reduce availability impact.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

