CVE-2025-2755
Published: 25 March 2025
Summary
CVE-2025-2755 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Assimp Assimp. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the out-of-bounds read flaw in Assimp's AC3D file handler to prevent remote exploitation via malicious files.
Implements memory safeguards such as address space layout randomization and non-executable memory to restrict unauthorized out-of-bounds reads in the Assimp parser.
Mandates validation of AC3D file inputs, including src.entries, to block malformed data that triggers the out-of-bounds read vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is directly triggered by processing a malicious AC3D file supplied by an attacker, mapping to user execution via a malicious file (T1204.002). The OOB read in the file parser (with UI:R) enables this client-side exploitation path but does not indicate code execution or server-side remote exploitation without interaction.
NVD Description
A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been rated as critical. Affected by this issue is the function Assimp::AC3DImporter::ConvertObjectSection of the file code/AssetLib/AC/ACLoader.cpp of the component AC3D File Handler. The manipulation of the argument…
more
src.entries leads to out-of-bounds read. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2755 is a vulnerability in the Open Asset Import Library (Assimp) version 5.4.3, rated as critical. It affects the function Assimp::AC3DImporter::ConvertObjectSection in the file code/AssetLib/AC/ACLoader.cpp within the AC3D File Handler component. The issue involves an out-of-bounds read caused by manipulation of the src.entries argument and is classified under CWE-119 and CWE-125.
The vulnerability can be exploited remotely by any unauthenticated attacker, requiring low complexity and user interaction, as indicated by its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). An attacker can achieve this by supplying a malicious AC3D file that a user or application processes, resulting in low impacts to confidentiality, integrity, and availability. The exploit has been disclosed to the public.
Advisories and further details are available in the referenced sources, including GitHub issues at https://github.com/assimp/assimp/issues/6017 and https://github.com/assimp/assimp/issues/6017#issue-2877374161, as well as VulDB entries at https://vuldb.com/?ctiid.300860, https://vuldb.com/?id.300860, and https://vuldb.com/?submit.517789.
Details
- CWE(s)