CVE-2025-2752
Published: 25 March 2025
Summary
CVE-2025-2752 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Assimp Assimp. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the out-of-bounds read vulnerability by requiring timely remediation through patching or upgrading the vulnerable Assimp library.
Implements memory protection mechanisms that prevent exploitation of out-of-bounds reads in the fast_atoreal_move function, limiting potential denial-of-service impacts.
Requires validation of inputs to the Assimp CSM File Handler to block malformed files that trigger the out-of-bounds read, though comprehensive validation may not catch all edge cases.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability triggered by malicious file input to Assimp library causes application crash (limited DoS); directly maps to user execution via malicious file and endpoint DoS via application exploitation.
NVD Description
A vulnerability was found in Open Asset Import Library Assimp 5.4.3 and classified as problematic. This issue affects the function fast_atoreal_move in the library include/assimp/fast_atof.h of the component CSM File Handler. The manipulation leads to out-of-bounds read. The attack may…
more
be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2752 is a vulnerability found in the Open Asset Import Library (Assimp) version 5.4.3, classified as problematic. It affects the fast_atoreal_move function located in the library's include/assimp/fast_atof.h file within the CSM File Handler component. The flaw enables an out-of-bounds read through manipulation of input, as mapped to CWE-119 and CWE-125.
The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L), indicating it is exploitable over a network with low attack complexity, no required privileges, but user interaction is necessary. An unprivileged remote attacker can trigger it by supplying a malicious file for processing by an application using Assimp, potentially causing a limited denial of service such as application crashes, with no impact on confidentiality or integrity.
Advisories and reports are documented on the Assimp GitHub repository in issue #6013, including detailed comments at #issue-2877371176, as well as VulDB entries at ctiid.300857, id.300857, and submit.517786. These resources provide vulnerability details, and practitioners should consult them for any updates on patches or workarounds. The exploit has been publicly disclosed and may be used, with the CVE published on 2025-03-25T08:15:20.193.
Details
- CWE(s)