CVE-2025-2757
Published: 25 March 2025
Summary
CVE-2025-2757 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Assimp Assimp. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, reporting, and correction of flaws like this heap-based buffer overflow in Assimp by applying patches or upgrades.
Implements memory protection mechanisms such as ASLR and non-executable memory that prevent exploitation of heap buffer overflows.
Requires validation of information inputs like MD5 files to block malformed data from reaching the vulnerable parser function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in Assimp MD5 parser enables remote code execution via malicious MD5 files processed by applications using the library, facilitating Exploitation for Client Execution (T1203).
NVD Description
A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function AI_MD5_PARSE_STRING_IN_QUOTATION of the file code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The manipulation of the argument data leads to heap-based buffer…
more
overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
A critical heap-based buffer overflow vulnerability, designated CVE-2025-2757, affects Open Asset Import Library (Assimp) version 5.4.3. The issue resides in the AI_MD5_PARSE_STRING_IN_QUOTATION function within the file code/AssetLib/MD5/MD5Parser.cpp, part of the MD5 File Handler component. Manipulation of the argument data triggers the overflow, as classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow). The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) and was published on 2025-03-25.
Attackers can exploit this vulnerability remotely without privileges by tricking users into processing malicious input, such as a specially crafted MD5 file, due to the requirement for user interaction. Successful exploitation enables limited impacts: low confidentiality (partial disclosure of sensitive data), low integrity (minor modification of data), and low availability (partial denial of service via crash or resource consumption).
Advisories and discussions, including GitHub issues at https://github.com/assimp/assimp/issues/6019 and https://github.com/assimp/assimp/issues/6019#issue-2877376386, along with VulDB entries at https://vuldb.com/?ctiid.300862, https://vuldb.com/?id.300862, and https://vuldb.com/?submit.517817, provide details on the flaw. The exploit has been publicly disclosed and may be available for use, though specific patch status or mitigation steps are outlined in these references.
Details
- CWE(s)