CVE-2025-2751
Published: 25 March 2025
Summary
CVE-2025-2751 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Assimp Assimp. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-2751 is a vulnerability in the Open Asset Import Library (Assimp) version 5.4.3, classified as problematic. It affects the function Assimp::CSMImporter::InternReadFile in the file code/AssetLib/CSM/CSMLoader.cpp within the CSM File Handler component. Manipulation of the argument "na" leads to an out-of-bounds read, associated with CWE-119 and CWE-125.
The vulnerability enables remote attacks requiring user interaction, as indicated by its CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). Attackers with no privileges can exploit it by supplying a maliciously crafted CSM file to applications using the affected Assimp version, potentially causing a limited denial-of-service through availability disruption, such as application crashes.
Advisories and reports are documented in GitHub issues at https://github.com/assimp/assimp/issues/6012 and https://github.com/assimp/assimp/issues/6012#issue-2877369817, along with VulDB entries including https://vuldb.com/?ctiid.300856, https://vuldb.com/?id.300856, and https://vuldb.com/?submit.517785.
The exploit has been disclosed to the public and may be used, with the CVE published on 2025-03-25.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8071
Vulnerability details
A vulnerability has been found in Open Asset Import Library Assimp 5.4.3 and classified as problematic. This vulnerability affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation of the argument na leads to…
more
out-of-bounds read. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in Assimp CSM file handler exploitable remotely via malformed file with user interaction, enabling exploitation for client execution (T1203) or application denial of service via crash (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely patching or upgrading vulnerable Assimp versions to eliminate the out-of-bounds read in the CSM file handler.
Information input validation ensures malformed CSM files with manipulated 'na' arguments are rejected before processing by the Assimp CSMImporter.
Memory protection mechanisms like ASLR and DEP mitigate potential exploitation of the out-of-bounds read, limiting DoS impact to crashes.