CVE-2025-2152

CVE-2025-2152 is a heap-based buffer overflow vulnerability classified as critical in the Open Asset Import Library (Assimp) version 5.4.3. The issue resides in the Assimp::BaseImporter::ConvertToUTF8 function within the BaseImporter.cpp file, part of the File Handler component. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-122 (Heap-based Buffer Overflow), and CWE-787 (Out-of-bounds Write).

Remote attackers can exploit this vulnerability by manipulating inputs to the affected function, requiring user interaction such as opening a specially crafted file in an application that uses Assimp for asset import. Successful exploitation could result in limited impacts: low confidentiality (C:L), integrity (I:L), and availability (A:L) effects, potentially allowing partial data exposure, modification, or denial of service via the heap overflow. No privileges are needed, and the attack complexity is low, though it depends on tricking users into processing malicious files.

Advisories and details are documented in GitHub issues at https://github.com/assimp/assimp/issues/6027 and https://github.com/assimp/assimp/issues/6027#issue-2877629241, as well as VulDB entries at https://vuldb.com/?ctiid.299063, https://vuldb.com/?id.299063, and https://vuldb.com/?submit.510818. Security practitioners should consult these sources for any patches or workarounds.

The vulnerability was published on 2025-03-10, and the exploit has been publicly disclosed, making it available for potential use by attackers.