Cyber Resilience

CVE-2025-71007

HighPublic PoC

Published: 28 January 2026

Published
28 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 22.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71007 is a high-severity Improper Input Validation (CWE-20) vulnerability in Oneflow Oneflow. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-71007 is an input validation vulnerability (CWE-20) in the oneflow.index_add component of OneFlow v0.9.0. This flaw allows attackers to cause a Denial of Service (DoS) by supplying a crafted input to the affected component. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting its high availability impact with no effects on confidentiality or integrity.

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges or user interaction. Unauthenticated remote actors can trigger the DoS, potentially crashing OneFlow instances and disrupting dependent applications or services.

Advisories and additional details are documented in the provided references, including the OneFlow GitHub issue tracker at https://github.com/Oneflow-Inc/oneflow/issues/10652 and https://github.com/Daisy2ang. Security practitioners should consult these for patch information or workarounds specific to OneFlow v0.9.0.

EU & UK References

Vulnerability details

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Input validation flaw directly enables remote application exploitation resulting in endpoint DoS (crash).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71003Same product: Oneflow Oneflow
CVE-2025-65891Same product: Oneflow Oneflow
CVE-2025-65888Same product: Oneflow Oneflow
CVE-2025-65886Same product: Oneflow Oneflow
CVE-2025-71000Same product: Oneflow Oneflow
CVE-2025-70999Same product: Oneflow Oneflow
CVE-2025-65889Same product: Oneflow Oneflow
CVE-2025-65890Same product: Oneflow Oneflow
CVE-2026-22862Shared CWE-20
CVE-2026-22868Shared CWE-20

Affected Assets

oneflow
oneflow
0.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates information input validation mechanisms at input points, comprehensively addressing the CWE-20 input validation flaw in OneFlow's oneflow.index_add component that enables DoS.

prevent

Requires identification, reporting, and correction of system flaws like this input validation vulnerability in OneFlow v0.9.0 through timely patching.

prevent

Protects against denial-of-service events by limiting the effects of crafted inputs that crash OneFlow instances, matching the CVE's high availability impact.

References