Cyber Resilience

CVE-2025-53009

MediumPublic PoC

Published: 01 August 2025

Published
01 August 2025
Modified
20 August 2025
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0177 83.1th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53009 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Linuxfoundation Materialx. Its CVSS base score is 5.5 (Medium).

Operationally, ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

MaterialX is an open standard for exchanging material and look-development content, and versions 1.39.2 and earlier contain a denial-of-service vulnerability in the XML parsing logic that handles MTLX files containing multiple nested nodegraph implementations. The parser can be driven into stack exhaustion, producing a crash classified under CWE-121 with a CVSS 4.0 score of 5.5.

An unauthenticated remote attacker can supply a crafted MTLX file to any application that consumes MaterialX data, causing the target process to terminate. The supplied description notes that the same vector can be used against programs that incorporate OpenEXR when they ingest the malicious file.

The official fix is included in MaterialX 1.39.3. The project has published a security advisory, a corresponding pull request, and release notes that document the change; a proof-of-concept is also available in a public repository.

EPSS remains low at 0.0177 with no material increase from its initial value.

EU & UK References

Vulnerability details

MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In versions 1.39.2 and below, when parsing an MTLX file with multiple nested nodegraph implementations, the MaterialX XML parsing logic can potentially…

more

crash due to stack exhaustion. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linuxfoundation
materialx
1.39.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References