CVE-2025-2592
Published: 21 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-2592 is a heap-based buffer overflow vulnerability classified as critical in the Open Asset Import Library (Assimp) version 5.4.3. The issue resides in the CSMImporter::InternReadFile function within the file code/AssetLib/CSM/CSMLoader.cpp. This flaw allows manipulation that triggers the overflow when processing malformed input.
The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) over the network (AV:N) with low attack complexity (AC:L), but requires user interaction (UI:R), such as tricking a user into loading a malicious file processed by Assimp. Successful exploitation results in low-impact violations of confidentiality, integrity, and availability (C:L/I:L/A:L), with a CVSS v3.1 base score of 6.3. An exploit has been publicly disclosed and may be usable.
Mitigation is available via a specific patch commit, 2690e354da0c681db000cfd892a55226788f2743, and vendors are recommended to apply it. Related GitHub discussions include issues #6010 and pull request #6052, with further details on VulDB.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a buffer overflow triggered by processing a malformed CSM file in Assimp, requiring user interaction to load the malicious file, directly enabling user execution via malicious file.