CVE-2025-65886 Overview
A shape mismatch vulnerability exists in OneFlow v0.9.0 that allows attackers to cause a Denial of Service (DoS) condition. The vulnerability is triggered when the application processes crafted tensor shapes, leading to resource exhaustion and application crash. This flaw is classified under CWE-400 (Uncontrolled Resource Consumption).
Critical Impact
Remote attackers can exploit this vulnerability to crash OneFlow instances by supplying maliciously crafted tensor shapes, potentially disrupting machine learning workflows and production deployments.
Affected Products
- OneFlow v0.9.0
- Earlier versions may also be affected (unconfirmed)
Discovery Timeline
- 2026-01-28 - CVE CVE-2025-65886 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-65886
Vulnerability Analysis
This vulnerability stems from improper handling of tensor shape validation in OneFlow's deep learning framework. When the framework receives tensor operations with mismatched or malformed shape specifications, it fails to properly validate these inputs before processing. The lack of adequate boundary checking allows an attacker to craft tensor shapes that trigger resource exhaustion, leading to a denial of service condition.
The vulnerability can be exploited remotely over the network without requiring authentication or user interaction. The impact is limited to availability, meaning attackers cannot use this flaw to access or modify data, but can successfully disrupt service operations.
Root Cause
The root cause is classified as CWE-400 (Uncontrolled Resource Consumption). The OneFlow framework does not properly validate tensor shape inputs before attempting to allocate resources or perform computations. When conflicting or oversized shape parameters are provided, the application attempts to process these invalid shapes, consuming excessive resources and eventually crashing.
Attack Vector
The attack can be executed remotely over the network by sending specially crafted tensor shape parameters to a OneFlow instance. The attacker does not require any privileges or authentication to exploit this vulnerability. The attack complexity is low, making it accessible to attackers with basic knowledge of tensor operations in machine learning frameworks.
An attacker would craft tensor operations with mismatched dimensions or invalid shape specifications and submit these to the target OneFlow instance. The framework's insufficient input validation allows these malformed inputs to proceed, ultimately causing resource exhaustion and service disruption.
Technical details and proof-of-concept information can be found in the OneFlow GitHub Issue #10666.
Detection Methods for CVE-2025-65886
Indicators of Compromise
- Unexpected application crashes or restarts of OneFlow processes
- Abnormal memory consumption spikes preceding service failures
- Error logs indicating tensor shape mismatches or dimension validation failures
- Incoming requests containing unusually large or conflicting tensor dimensions
Detection Strategies
- Monitor OneFlow application logs for shape mismatch errors and exceptions
- Implement input validation at the API layer to detect malformed tensor shapes before they reach the framework
- Configure resource usage alerts to detect abnormal memory or CPU consumption patterns
- Deploy network intrusion detection rules to identify suspicious tensor operation requests
Monitoring Recommendations
- Set up real-time monitoring for OneFlow process health and automatic restart notifications
- Configure log aggregation to capture and analyze tensor operation failures
- Implement rate limiting on tensor operation endpoints to mitigate DoS attempts
- Monitor for patterns of repeated failed requests that may indicate exploitation attempts
How to Mitigate CVE-2025-65886
Immediate Actions Required
- Review all OneFlow v0.9.0 deployments and assess exposure to untrusted inputs
- Implement input validation at application boundaries to reject malformed tensor shapes
- Consider deploying network-level protections to filter potentially malicious requests
- Monitor the OneFlow GitHub repository for security patches
Patch Information
As of the last update on 2026-01-29, refer to the OneFlow GitHub Issue #10666 for the latest information on patches and fixes. Users should monitor the official OneFlow GitHub repository for security updates and upgrade to patched versions when available.
Workarounds
- Implement strict input validation for all tensor shape parameters at the application layer
- Deploy rate limiting and request filtering to protect exposed OneFlow endpoints
- Isolate OneFlow instances from direct untrusted network access using network segmentation
- Use containerization with resource limits to contain the impact of potential DoS attacks
# Example: Implement container resource limits for OneFlow deployments
docker run --memory="4g" --cpus="2" --restart=on-failure:3 oneflow-app
# Example: Basic nginx rate limiting for API endpoints
# Add to nginx configuration
limit_req_zone $binary_remote_addr zone=oneflow_limit:10m rate=10r/s;
location /api/tensor {
limit_req zone=oneflow_limit burst=20 nodelay;
proxy_pass http://oneflow_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
