Cyber Posture

CVE-2025-71007

HighPublic PoC

Published: 28 January 2026

Published
28 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 10.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71007 is a high-severity Improper Input Validation (CWE-20) vulnerability in Oneflow Oneflow. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

PM-14 Testing, Training, and Monitoring
addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

SA-11 Developer Testing and Evaluation
addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

SI-10 Information Input Validation
addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

SI-8 Spam Protection
addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Input validation flaw directly enables remote application exploitation resulting in endpoint DoS (crash).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Deeper analysisAI

CVE-2025-71007 is an input validation vulnerability (CWE-20) in the oneflow.index_add component of OneFlow v0.9.0. This flaw allows attackers to cause a Denial of Service (DoS) by supplying a crafted input to the affected component. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting its high availability impact with no effects on confidentiality or integrity.

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges or user interaction. Unauthenticated remote actors can trigger the DoS, potentially crashing OneFlow instances and disrupting dependent applications or services.

Advisories and additional details are documented in the provided references, including the OneFlow GitHub issue tracker at https://github.com/Oneflow-Inc/oneflow/issues/10652 and https://github.com/Daisy2ang. Security practitioners should consult these for patch information or workarounds specific to OneFlow v0.9.0.

Details

CWE(s)
CWE-20

Affected Products

oneflow
oneflow
0.9.0

CVEs Like This One

CVE-2025-71003Same product: Oneflow Oneflow
CVE-2025-65886Same product: Oneflow Oneflow
CVE-2025-70999Same product: Oneflow Oneflow
CVE-2025-65888Same product: Oneflow Oneflow
CVE-2025-71000Same product: Oneflow Oneflow
CVE-2025-65891Same product: Oneflow Oneflow
CVE-2025-65890Same product: Oneflow Oneflow
CVE-2025-65889Same product: Oneflow Oneflow
CVE-2026-27623Shared CWE-20
CVE-2025-61614Shared CWE-20

References