CVE-2025-53009
Published: 01 August 2025
Summary
CVE-2025-53009 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Linuxfoundation Materialx. Its CVSS base score is 5.5 (Medium).
Operationally, ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
MaterialX is an open standard for exchanging material and look-development content, and versions 1.39.2 and earlier contain a denial-of-service vulnerability in the XML parsing logic that handles MTLX files containing multiple nested nodegraph implementations. The parser can be driven into stack exhaustion, producing a crash classified under CWE-121 with a CVSS 4.0 score of 5.5.
An unauthenticated remote attacker can supply a crafted MTLX file to any application that consumes MaterialX data, causing the target process to terminate. The supplied description notes that the same vector can be used against programs that incorporate OpenEXR when they ingest the malicious file.
The official fix is included in MaterialX 1.39.3. The project has published a security advisory, a corresponding pull request, and release notes that document the change; a proof-of-concept is also available in a public repository.
EPSS remains low at 0.0177 with no material increase from its initial value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23382
Vulnerability details
MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In versions 1.39.2 and below, when parsing an MTLX file with multiple nested nodegraph implementations, the MaterialX XML parsing logic can potentially…
more
crash due to stack exhaustion. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.