CVE-2025-2754
Published: 25 March 2025
Summary
CVE-2025-2754 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Assimp Assimp. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of flaws, directly addressing the need to patch the heap-based buffer overflow in Assimp 5.4.3.
Implements memory protections such as ASLR and DEP that mitigate exploitation of heap buffer overflows from malformed AC3D files.
Requires validation of information inputs to restrict operations within memory bounds, reducing the risk of triggering the buffer overflow via untrusted AC3D files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in AC3D file parser (client-side library) directly enables exploitation for client execution when a malicious file is processed, matching T1203 due to UI:R and remote vector in asset import applications.
NVD Description
A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been declared as critical. Affected by this vulnerability is the function Assimp::AC3DImporter::ConvertObjectSection of the file code/AssetLib/AC/ACLoader.cpp of the component AC3D File Handler. The manipulation of the argument…
more
it leads to heap-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2754 is a heap-based buffer overflow vulnerability in the Open Asset Import Library (Assimp) version 5.4.3. The flaw affects the Assimp::AC3DImporter::ConvertObjectSection function in the file code/AssetLib/AC/ACLoader.cpp, which is part of the AC3D File Handler component. Manipulation of the argument "it" triggers the overflow, as documented in the CVE description published on 2025-03-25.
The vulnerability enables remote exploitation with no privileges required (PR:N), low attack complexity (AC:L), and network accessibility (AV:N), but it requires user interaction (UI:R). Exploitation can lead to limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), per its CVSS v3.1 base score of 6.3. It is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow).
Advisories reference GitHub issues #6015 and #6015#issue-2877373501 in the Assimp repository, along with VulDB entries (ctiid.300859, id.300859, submit.517788), where the vulnerability and exploit have been publicly disclosed. Security practitioners should monitor these sources for patch availability and mitigation recommendations.
The exploit has been disclosed to the public and may be used, increasing the risk for applications parsing untrusted AC3D files with vulnerable Assimp versions.
Details
- CWE(s)