CVE-2025-2753
Published: 25 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-2753 is a vulnerability in the Open Asset Import Library (Assimp) version 5.4.3, classified as critical. It affects the SceneCombiner::MergeScenes function in the file code/AssetLib/LWS/LWSLoader.cpp within the LWS File Handler component, resulting in an out-of-bounds read (CWE-119, CWE-125).
The vulnerability enables remote exploitation by an unauthenticated attacker requiring low complexity and user interaction, such as processing a malicious LWS file, per its CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). Successful attacks can achieve low levels of confidentiality, integrity, and availability impact.
Advisories reference GitHub issues #6014 and #6014#issue-2877372462 in the assimp/assimp repository, along with VulDB entries at ctiid.300858, id.300858, and submit.517787, where the exploit has been publicly disclosed and may be used.
The vulnerability was published on 2025-03-25, with the exploit already available to the public.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an out-of-bounds read in a file parser (LWSLoader) explicitly triggered by processing a malicious LWS file with user interaction, directly enabling the User Execution technique via malicious file.