CVE-2025-2753
Published: 25 March 2025
Summary
CVE-2025-2753 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Assimp Assimp. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the out-of-bounds read vulnerability in Assimp's LWS file handler by applying vendor patches or upgrades.
Implements memory protections such as ASLR and DEP to mitigate exploitation of the out-of-bounds read, limiting information disclosure and potential code execution.
Validates LWS file inputs before parsing to detect and block malformed files that trigger the out-of-bounds read in SceneCombiner::MergeScenes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an out-of-bounds read in a file parser (LWSLoader) explicitly triggered by processing a malicious LWS file with user interaction, directly enabling the User Execution technique via malicious file.
NVD Description
A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been classified as critical. Affected is the function SceneCombiner::MergeScenes of the file code/AssetLib/LWS/LWSLoader.cpp of the component LWS File Handler. The manipulation leads to out-of-bounds read. It is…
more
possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2753 is a vulnerability in the Open Asset Import Library (Assimp) version 5.4.3, classified as critical. It affects the SceneCombiner::MergeScenes function in the file code/AssetLib/LWS/LWSLoader.cpp within the LWS File Handler component, resulting in an out-of-bounds read (CWE-119, CWE-125).
The vulnerability enables remote exploitation by an unauthenticated attacker requiring low complexity and user interaction, such as processing a malicious LWS file, per its CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). Successful attacks can achieve low levels of confidentiality, integrity, and availability impact.
Advisories reference GitHub issues #6014 and #6014#issue-2877372462 in the assimp/assimp repository, along with VulDB entries at ctiid.300858, id.300858, and submit.517787, where the exploit has been publicly disclosed and may be used.
The vulnerability was published on 2025-03-25, with the exploit already available to the public.
Details
- CWE(s)