Cyber Resilience

CVE-2025-70069

HighDDoS

Published: 04 May 2026

Published
04 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0015 35.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70069 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Assimp (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-70069 is a denial-of-service vulnerability in Assimp version 6.0.2, an open-source library for processing 3D model formats. The issue resides in the FBXConverter.cpp file, specifically the ConvertMeshMultiMaterial() method, which triggers uncontrolled resource consumption as indicated by associated CWEs-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability has a CVSS v3.1 base score of 7.5, reflecting high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and significant impact on availability with no effects on confidentiality or integrity.

A remote attacker can exploit this vulnerability without authentication by supplying a specially crafted FBX file to an application using the affected Assimp version for 3D model import. Successful exploitation leads to denial of service, such as application crashes or excessive resource exhaustion on the targeted system, potentially disrupting services that rely on Assimp for asset loading in games, 3D rendering tools, or modeling software.

For mitigation details, refer to the official Assimp website at http://assimp.com and the proof-of-concept at https://gist.github.com/GunP4ng/9080ae7f0470c889a59cc3bfca445223, which may include patch information or advisories.

EU & UK References

Vulnerability details

An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp and ConvertMeshMultiMaterial() method

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE directly enables Endpoint DoS via application exploitation by supplying crafted FBX input to trigger uncontrolled resource consumption in Assimp library.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25762Shared CWE-400, CWE-770
CVE-2026-25673Shared CWE-400, CWE-770
CVE-2026-40192Shared CWE-400, CWE-770
CVE-2026-34826Shared CWE-400, CWE-770
CVE-2026-42583Shared CWE-400, CWE-770
CVE-2026-25535Shared CWE-400, CWE-770
CVE-2026-41309Shared CWE-400, CWE-770
CVE-2025-68272Shared CWE-400, CWE-770
CVE-2026-22815Shared CWE-400, CWE-770
CVE-2026-25140Shared CWE-400, CWE-770

Affected Assets

Assimp
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the specific uncontrolled resource consumption vulnerability in Assimp's ConvertMeshMultiMaterial method by applying patches or upgrading to a fixed version.

prevent

Denial-of-service protection implements safeguards at system entry points to block resource exhaustion attacks from crafted FBX files exploiting Assimp.

prevent

Resource availability enforces limits on allocations during 3D model processing to mitigate CWE-770 and CWE-400 issues in Assimp's FBX converter.

References