CVE-2025-71005 Overview
A floating point exception (FPE) vulnerability exists in the oneflow.view component of OneFlow v0.9.0. This vulnerability allows attackers to cause a Denial of Service (DoS) condition by supplying specially crafted input to the affected component. The vulnerability is classified under CWE-369 (Divide By Zero), indicating improper handling of division operations that can lead to application crashes.
Critical Impact
Attackers can crash OneFlow applications by triggering a floating point exception through malicious input, causing service disruption for machine learning workloads.
Affected Products
- OneFlow v0.9.0
- OneFlow oneflow.view component
Discovery Timeline
- 2026-01-28 - CVE CVE-2025-71005 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-71005
Vulnerability Analysis
This vulnerability stems from improper input validation in the oneflow.view component of the OneFlow deep learning framework. When processing tensor reshape operations, the component fails to properly validate input parameters before performing division operations. This can result in a divide-by-zero condition that triggers a floating point exception (FPE), causing the application to terminate unexpectedly.
The vulnerability is exploitable over the network and requires some user interaction, such as loading a malicious model or processing attacker-controlled data. While the vulnerability does not compromise confidentiality or integrity, it has a high impact on availability as it can completely crash the affected application.
Root Cause
The root cause is classified as CWE-369 (Divide By Zero). The oneflow.view function performs mathematical calculations to reshape tensors without adequately checking for zero or invalid values in the denominator. When an attacker provides carefully crafted input containing values that result in a zero divisor, the floating point exception is triggered, leading to an immediate application crash.
Attack Vector
The attack vector is network-based, meaning the vulnerability can be exploited remotely. An attacker could exploit this vulnerability by:
- Crafting malicious input data that, when processed by the oneflow.view function, triggers a division by zero
- Supplying a malformed model file or tensor data to an application using OneFlow
- Sending specially crafted API requests to services utilizing the vulnerable component
The attack requires user interaction, typically in the form of a victim loading or processing attacker-controlled data.
The vulnerability mechanism involves improper validation of tensor dimensions in the oneflow.view component. When reshaping tensors, if the input dimensions contain values that result in a zero divisor during the reshape calculation, a floating point exception occurs. Technical details can be found in the GitHub Issue #10654 filed against the OneFlow repository.
Detection Methods for CVE-2025-71005
Indicators of Compromise
- Application crashes with floating point exception (SIGFPE) signals in logs
- Unexpected termination of OneFlow-based processes during tensor operations
- Core dumps indicating FPE in the oneflow.view function stack trace
Detection Strategies
- Monitor application logs for SIGFPE signals and divide-by-zero errors
- Implement input validation checks before tensor reshape operations
- Deploy anomaly detection for unusual crash patterns in ML pipeline services
Monitoring Recommendations
- Enable crash reporting and stack trace collection for OneFlow applications
- Monitor system health metrics for unexpected process terminations
- Set up alerts for repeated crashes in services utilizing OneFlow tensor operations
How to Mitigate CVE-2025-71005
Immediate Actions Required
- Review all applications using OneFlow v0.9.0 for exposure to untrusted input
- Implement input validation to sanitize tensor dimensions before calling oneflow.view
- Consider isolating OneFlow workloads in sandboxed environments to limit DoS impact
Patch Information
Monitor the OneFlow GitHub repository for official patches and updates addressing this vulnerability. At the time of publication, users should review the linked issue for the latest remediation guidance from the maintainers.
Workarounds
- Add explicit validation to check for zero values in tensor dimension calculations before using oneflow.view
- Implement try-catch exception handling around tensor operations to prevent application crashes
- Restrict access to services processing untrusted input with the vulnerable component
# Example: Input validation wrapper for oneflow.view operations
# Validate tensor dimensions before reshape to prevent FPE
# Ensure no dimension values would result in divide-by-zero conditions
# Consider implementing rate limiting on API endpoints accepting tensor data
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
