CVE-2025-2151

MediumPublic PoC

Published: 10 March 2025

Published

10 March 2025

Modified

28 May 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS Score 0.0021 42.7th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2151 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Assimp Assimp. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and patching of the stack buffer overflow flaw in Assimp 5.4.3.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like stack canaries, ASLR, and non-executable stacks to prevent exploitation of the stack-based buffer overflow in Assimp::GetNextLine.

SI-10 Information Input Validation partial match

prevent

Requires validation of file inputs processed by Assimp to restrict malformed data that could trigger the buffer overflow in the file handler component.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in Assimp file parser enables code execution via malicious 3D asset file (T1203 Exploitation for Client Execution); requires user interaction to process the file (T1204.002 Malicious File).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function Assimp::GetNextLine in the library ParsingUtils.h of the component File Handler. The manipulation leads to stack-based buffer overflow. The attack can be…

initiated remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-2151 is a stack-based buffer overflow vulnerability classified as critical in the Open Asset Import Library (Assimp) version 5.4.3. The issue resides in the Assimp::GetNextLine function within ParsingUtils.h of the File Handler component. It is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write).

The vulnerability enables remote exploitation through manipulation of input, requiring no privileges (PR:N) but user interaction (UI:R), as indicated by its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). An attacker can supply a malicious file that, when processed by an application using the affected Assimp library, triggers the buffer overflow, potentially resulting in limited impacts to confidentiality, integrity, and availability.

Advisories and discussions are available in GitHub issues #6016 and #6026 for Assimp, along with VulDB entries at ctiid.299062 and id.299062. A proof-of-concept exploit crash file has been publicly disclosed at sae-as-me/Crashes/raw/refs/heads/main/assimp/assimp_crash_1, indicating the vulnerability may be usable in attacks.

The exploit has been disclosed to the public, increasing the risk for applications relying on Assimp for 3D asset parsing.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

assimp

5.4.3

CVEs Like This One

CVE-2025-2750Same product: Assimp Assimp

CVE-2025-2152Same product: Assimp Assimp

CVE-2025-3015Same product: Assimp Assimp

CVE-2025-2757Same product: Assimp Assimp

CVE-2025-2755Same product: Assimp Assimp

CVE-2025-15538Same product: Assimp Assimp

CVE-2025-2754Same product: Assimp Assimp

CVE-2025-2592Same product: Assimp Assimp

CVE-2025-2753Same product: Assimp Assimp

CVE-2025-2756Same product: Assimp Assimp

References

https://github.com/assimp/assimp/issues/6016
Exploit, Issue Tracking, Vendor Advisory · cna@vuldb.com
https://github.com/assimp/assimp/issues/6026
Exploit, Issue Tracking, Vendor Advisory · cna@vuldb.com
https://github.com/sae-as-me/Crashes/raw/refs/heads/main/assimp/assimp_crash_1
Broken Link · cna@vuldb.com
https://vuldb.com/?ctiid.299062
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.299062
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.510582
Third Party Advisory, VDB Entry · cna@vuldb.com
https://github.com/assimp/assimp/issues/6016
Exploit, Issue Tracking, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/assimp/assimp/issues/6026
Exploit, Issue Tracking, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0