CVE-2025-70069
Published: 04 May 2026
Summary
CVE-2025-70069 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Assimp (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2025-70069 is a denial-of-service vulnerability in Assimp version 6.0.2, an open-source library for processing 3D model formats. The issue resides in the FBXConverter.cpp file, specifically the ConvertMeshMultiMaterial() method, which triggers uncontrolled resource consumption as indicated by associated CWEs-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability has a CVSS v3.1 base score of 7.5, reflecting high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and significant impact on availability with no effects on confidentiality or integrity.
A remote attacker can exploit this vulnerability without authentication by supplying a specially crafted FBX file to an application using the affected Assimp version for 3D model import. Successful exploitation leads to denial of service, such as application crashes or excessive resource exhaustion on the targeted system, potentially disrupting services that rely on Assimp for asset loading in games, 3D rendering tools, or modeling software.
For mitigation details, refer to the official Assimp website at http://assimp.com and the proof-of-concept at https://gist.github.com/GunP4ng/9080ae7f0470c889a59cc3bfca445223, which may include patch information or advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-209618
Vulnerability details
An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp and ConvertMeshMultiMaterial() method
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly enables Endpoint DoS via application exploitation by supplying crafted FBX input to trigger uncontrolled resource consumption in Assimp library.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the specific uncontrolled resource consumption vulnerability in Assimp's ConvertMeshMultiMaterial method by applying patches or upgrading to a fixed version.
Denial-of-service protection implements safeguards at system entry points to block resource exhaustion attacks from crafted FBX files exploiting Assimp.
Resource availability enforces limits on allocations during 3D model processing to mitigate CWE-770 and CWE-400 issues in Assimp's FBX converter.