CVE-2025-2751
Published: 25 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-2751 is a vulnerability in the Open Asset Import Library (Assimp) version 5.4.3, classified as problematic. It affects the function Assimp::CSMImporter::InternReadFile in the file code/AssetLib/CSM/CSMLoader.cpp within the CSM File Handler component. Manipulation of the argument "na" leads to an out-of-bounds read, associated with CWE-119 and CWE-125.
The vulnerability enables remote attacks requiring user interaction, as indicated by its CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). Attackers with no privileges can exploit it by supplying a maliciously crafted CSM file to applications using the affected Assimp version, potentially causing a limited denial-of-service through availability disruption, such as application crashes.
Advisories and reports are documented in GitHub issues at https://github.com/assimp/assimp/issues/6012 and https://github.com/assimp/assimp/issues/6012#issue-2877369817, along with VulDB entries including https://vuldb.com/?ctiid.300856, https://vuldb.com/?id.300856, and https://vuldb.com/?submit.517785.
The exploit has been disclosed to the public and may be used, with the CVE published on 2025-03-25.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Out-of-bounds read in Assimp CSM file handler exploitable remotely via malformed file with user interaction, enabling exploitation for client execution (T1203) or application denial of service via crash (T1499.004).