CVE-2025-2752
Published: 25 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-2752 is a vulnerability found in the Open Asset Import Library (Assimp) version 5.4.3, classified as problematic. It affects the fast_atoreal_move function located in the library's include/assimp/fast_atof.h file within the CSM File Handler component. The flaw enables an out-of-bounds read through manipulation of input, as mapped to CWE-119 and CWE-125.
The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L), indicating it is exploitable over a network with low attack complexity, no required privileges, but user interaction is necessary. An unprivileged remote attacker can trigger it by supplying a malicious file for processing by an application using Assimp, potentially causing a limited denial of service such as application crashes, with no impact on confidentiality or integrity.
Advisories and reports are documented on the Assimp GitHub repository in issue #6013, including detailed comments at #issue-2877371176, as well as VulDB entries at ctiid.300857, id.300857, and submit.517786. These resources provide vulnerability details, and practitioners should consult them for any updates on patches or workarounds. The exploit has been publicly disclosed and may be used, with the CVE published on 2025-03-25T08:15:20.193.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability triggered by malicious file input to Assimp library causes application crash (limited DoS); directly maps to user execution via malicious file and endpoint DoS via application exploitation.