Cyber Resilience

CVE-2025-2753

MediumPublic PoC

Published: 25 March 2025

Published
25 March 2025
Modified
17 July 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0010 26.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2753 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Assimp Assimp. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-2753 is a vulnerability in the Open Asset Import Library (Assimp) version 5.4.3, classified as critical. It affects the SceneCombiner::MergeScenes function in the file code/AssetLib/LWS/LWSLoader.cpp within the LWS File Handler component, resulting in an out-of-bounds read (CWE-119, CWE-125).

The vulnerability enables remote exploitation by an unauthenticated attacker requiring low complexity and user interaction, such as processing a malicious LWS file, per its CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). Successful attacks can achieve low levels of confidentiality, integrity, and availability impact.

Advisories reference GitHub issues #6014 and #6014#issue-2877372462 in the assimp/assimp repository, along with VulDB entries at ctiid.300858, id.300858, and submit.517787, where the exploit has been publicly disclosed and may be used.

The vulnerability was published on 2025-03-25, with the exploit already available to the public.

EU & UK References

Vulnerability details

A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been classified as critical. Affected is the function SceneCombiner::MergeScenes of the file code/AssetLib/LWS/LWSLoader.cpp of the component LWS File Handler. The manipulation leads to out-of-bounds read. It is…

more

possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

The vulnerability is an out-of-bounds read in a file parser (LWSLoader) explicitly triggered by processing a malicious LWS file with user interaction, directly enabling the User Execution technique via malicious file.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2755Same product: Assimp Assimp
CVE-2025-2752Same product: Assimp Assimp
CVE-2025-2592Same product: Assimp Assimp
CVE-2025-15538Same product: Assimp Assimp
CVE-2025-2152Same product: Assimp Assimp
CVE-2025-2751Same product: Assimp Assimp
CVE-2025-3015Same product: Assimp Assimp
CVE-2025-2750Same product: Assimp Assimp
CVE-2025-2151Same product: Assimp Assimp
CVE-2025-2757Same product: Assimp Assimp

Affected Assets

assimp
assimp
5.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the out-of-bounds read vulnerability in Assimp's LWS file handler by applying vendor patches or upgrades.

prevent

Implements memory protections such as ASLR and DEP to mitigate exploitation of the out-of-bounds read, limiting information disclosure and potential code execution.

prevent

Validates LWS file inputs before parsing to detect and block malformed files that trigger the out-of-bounds read in SceneCombiner::MergeScenes.

References