CVE-2025-2754
Published: 25 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-2754 is a heap-based buffer overflow vulnerability in the Open Asset Import Library (Assimp) version 5.4.3. The flaw affects the Assimp::AC3DImporter::ConvertObjectSection function in the file code/AssetLib/AC/ACLoader.cpp, which is part of the AC3D File Handler component. Manipulation of the argument "it" triggers the overflow, as documented in the CVE description published on 2025-03-25.
The vulnerability enables remote exploitation with no privileges required (PR:N), low attack complexity (AC:L), and network accessibility (AV:N), but it requires user interaction (UI:R). Exploitation can lead to limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), per its CVSS v3.1 base score of 6.3. It is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow).
Advisories reference GitHub issues #6015 and #6015#issue-2877373501 in the Assimp repository, along with VulDB entries (ctiid.300859, id.300859, submit.517788), where the vulnerability and exploit have been publicly disclosed. Security practitioners should monitor these sources for patch availability and mitigation recommendations.
The exploit has been disclosed to the public and may be used, increasing the risk for applications parsing untrusted AC3D files with vulnerable Assimp versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Heap-based buffer overflow in AC3D file parser (client-side library) directly enables exploitation for client execution when a malicious file is processed, matching T1203 due to UI:R and remote vector in asset import applications.