CVE-2025-2750
Published: 25 March 2025
Summary
CVE-2025-2750 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Assimp Assimp. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires updating Assimp from version 5.4.3 to a patched release, directly eliminating the out-of-bounds write vulnerability in the CSM file handler.
Memory protection mechanisms like address space layout randomization, data execution prevention, and stack canaries prevent exploitation of the out-of-bounds write even if unpatched.
Information input validation in applications using Assimp restricts malformed CSM files from reaching the vulnerable InternReadFile function, mitigating the root cause of improper bounds handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in CSM file parser directly enables code execution via malicious file processing in client applications (T1204.002) and exploitation for client execution (T1203).
NVD Description
A vulnerability, which was classified as critical, was found in Open Asset Import Library Assimp 5.4.3. This affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation leads to out-of-bounds write. It is possible…
more
to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2750 is a critical vulnerability in the Open Asset Import Library (Assimp) version 5.4.3, specifically affecting the Assimp::CSMImporter::InternReadFile function in the file code/AssetLib/CSM/CSMLoader.cpp within the CSM File Handler component. The flaw manifests as an out-of-bounds write, associated with CWE-119 and CWE-787.
The vulnerability enables remote exploitation with network accessibility, low attack complexity, no required privileges, but user interaction such as processing a malicious CSM file in an Assimp-dependent application. Attackers can achieve limited impacts on confidentiality, integrity, and availability, per the CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
Advisories and discussions on mitigation are available in GitHub issues at assimp/assimp #6011 and VulDB entries (ctiid.300855, id.300855, submit.517783). The exploit has been publicly disclosed and may be used.
Details
- CWE(s)