CVE-2025-2152
Published: 10 March 2025
Summary
CVE-2025-2152 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Assimp Assimp. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires timely patching of the known heap-based buffer overflow in Assimp 5.4.3, directly eliminating the vulnerability.
Memory protection mechanisms such as ASLR, DEP, and heap hardening comprehensively mitigate exploitation of heap buffer overflows like CVE-2025-2152.
Input validation on files processed by Assimp prevents malformed inputs from reaching the vulnerable ConvertToUTF8 function and triggering the overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a heap-based buffer overflow in a file parsing library (Assimp), directly exploitable via user interaction with a specially crafted file, mapping to malicious file delivery for execution.
NVD Description
A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3. This issue affects the function Assimp::BaseImporter::ConvertToUTF8 of the file BaseImporter.cpp of the component File Handler. The manipulation leads to heap-based buffer overflow. The…
more
attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2152 is a heap-based buffer overflow vulnerability classified as critical in the Open Asset Import Library (Assimp) version 5.4.3. The issue resides in the Assimp::BaseImporter::ConvertToUTF8 function within the BaseImporter.cpp file, part of the File Handler component. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-122 (Heap-based Buffer Overflow), and CWE-787 (Out-of-bounds Write).
Remote attackers can exploit this vulnerability by manipulating inputs to the affected function, requiring user interaction such as opening a specially crafted file in an application that uses Assimp for asset import. Successful exploitation could result in limited impacts: low confidentiality (C:L), integrity (I:L), and availability (A:L) effects, potentially allowing partial data exposure, modification, or denial of service via the heap overflow. No privileges are needed, and the attack complexity is low, though it depends on tricking users into processing malicious files.
Advisories and details are documented in GitHub issues at https://github.com/assimp/assimp/issues/6027 and https://github.com/assimp/assimp/issues/6027#issue-2877629241, as well as VulDB entries at https://vuldb.com/?ctiid.299063, https://vuldb.com/?id.299063, and https://vuldb.com/?submit.510818. Security practitioners should consult these sources for any patches or workarounds.
The vulnerability was published on 2025-03-10, and the exploit has been publicly disclosed, making it available for potential use by attackers.
Details
- CWE(s)