CVE-2025-71007
Published: 28 January 2026
Summary
CVE-2025-71007 is a high-severity Improper Input Validation (CWE-20) vulnerability in Oneflow Oneflow. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-71007 is an input validation vulnerability (CWE-20) in the oneflow.index_add component of OneFlow v0.9.0. This flaw allows attackers to cause a Denial of Service (DoS) by supplying a crafted input to the affected component. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting its high availability impact with no effects on confidentiality or integrity.
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges or user interaction. Unauthenticated remote actors can trigger the DoS, potentially crashing OneFlow instances and disrupting dependent applications or services.
Advisories and additional details are documented in the provided references, including the OneFlow GitHub issue tracker at https://github.com/Oneflow-Inc/oneflow/issues/10652 and https://github.com/Daisy2ang. Security practitioners should consult these for patch information or workarounds specific to OneFlow v0.9.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206413
Vulnerability details
An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Input validation flaw directly enables remote application exploitation resulting in endpoint DoS (crash).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates information input validation mechanisms at input points, comprehensively addressing the CWE-20 input validation flaw in OneFlow's oneflow.index_add component that enables DoS.
Requires identification, reporting, and correction of system flaws like this input validation vulnerability in OneFlow v0.9.0 through timely patching.
Protects against denial-of-service events by limiting the effects of crafted inputs that crash OneFlow instances, matching the CVE's high availability impact.