CVE-2025-65886: OneFlow v0.9.0 DoS Vulnerability

CVE-2025-65886 Overview

A shape mismatch vulnerability exists in OneFlow v0.9.0 that allows attackers to cause a Denial of Service (DoS) condition. The vulnerability is triggered when the application processes crafted tensor shapes, leading to resource exhaustion and application crash. This flaw is classified under CWE-400 (Uncontrolled Resource Consumption).

Critical Impact
Remote attackers can exploit this vulnerability to crash OneFlow instances by supplying maliciously crafted tensor shapes, potentially disrupting machine learning workflows and production deployments.

Affected Products

OneFlow v0.9.0
Earlier versions may also be affected (unconfirmed)

Discovery Timeline

2026-01-28 - CVE CVE-2025-65886 published to NVD
2026-01-29 - Last updated in NVD database

Technical Details for CVE-2025-65886

Vulnerability Analysis

This vulnerability stems from improper handling of tensor shape validation in OneFlow's deep learning framework. When the framework receives tensor operations with mismatched or malformed shape specifications, it fails to properly validate these inputs before processing. The lack of adequate boundary checking allows an attacker to craft tensor shapes that trigger resource exhaustion, leading to a denial of service condition.

The vulnerability can be exploited remotely over the network without requiring authentication or user interaction. The impact is limited to availability, meaning attackers cannot use this flaw to access or modify data, but can successfully disrupt service operations.

Root Cause

The root cause is classified as CWE-400 (Uncontrolled Resource Consumption). The OneFlow framework does not properly validate tensor shape inputs before attempting to allocate resources or perform computations. When conflicting or oversized shape parameters are provided, the application attempts to process these invalid shapes, consuming excessive resources and eventually crashing.

Attack Vector

The attack can be executed remotely over the network by sending specially crafted tensor shape parameters to a OneFlow instance. The attacker does not require any privileges or authentication to exploit this vulnerability. The attack complexity is low, making it accessible to attackers with basic knowledge of tensor operations in machine learning frameworks.

An attacker would craft tensor operations with mismatched dimensions or invalid shape specifications and submit these to the target OneFlow instance. The framework's insufficient input validation allows these malformed inputs to proceed, ultimately causing resource exhaustion and service disruption.

Technical details and proof-of-concept information can be found in the OneFlow GitHub Issue #10666.

Detection Methods for CVE-2025-65886

Indicators of Compromise

Unexpected application crashes or restarts of OneFlow processes
Abnormal memory consumption spikes preceding service failures
Error logs indicating tensor shape mismatches or dimension validation failures
Incoming requests containing unusually large or conflicting tensor dimensions

Detection Strategies

Monitor OneFlow application logs for shape mismatch errors and exceptions
Implement input validation at the API layer to detect malformed tensor shapes before they reach the framework
Configure resource usage alerts to detect abnormal memory or CPU consumption patterns
Deploy network intrusion detection rules to identify suspicious tensor operation requests

Monitoring Recommendations

Set up real-time monitoring for OneFlow process health and automatic restart notifications
Configure log aggregation to capture and analyze tensor operation failures
Implement rate limiting on tensor operation endpoints to mitigate DoS attempts
Monitor for patterns of repeated failed requests that may indicate exploitation attempts

How to Mitigate CVE-2025-65886

Immediate Actions Required

Review all OneFlow v0.9.0 deployments and assess exposure to untrusted inputs
Implement input validation at application boundaries to reject malformed tensor shapes
Consider deploying network-level protections to filter potentially malicious requests
Monitor the OneFlow GitHub repository for security patches

Patch Information

As of the last update on 2026-01-29, refer to the OneFlow GitHub Issue #10666 for the latest information on patches and fixes. Users should monitor the official OneFlow GitHub repository for security updates and upgrade to patched versions when available.

Workarounds

Implement strict input validation for all tensor shape parameters at the application layer
Deploy rate limiting and request filtering to protect exposed OneFlow endpoints
Isolate OneFlow instances from direct untrusted network access using network segmentation
Use containerization with resource limits to contain the impact of potential DoS attacks

bash

# Example: Implement container resource limits for OneFlow deployments
docker run --memory="4g" --cpus="2" --restart=on-failure:3 oneflow-app

# Example: Basic nginx rate limiting for API endpoints
# Add to nginx configuration
limit_req_zone $binary_remote_addr zone=oneflow_limit:10m rate=10r/s;
location /api/tensor {
    limit_req zone=oneflow_limit burst=20 nodelay;
    proxy_pass http://oneflow_backend;
}