CVE-2025-2755
Published: 25 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-2755 is a vulnerability in the Open Asset Import Library (Assimp) version 5.4.3, rated as critical. It affects the function Assimp::AC3DImporter::ConvertObjectSection in the file code/AssetLib/AC/ACLoader.cpp within the AC3D File Handler component. The issue involves an out-of-bounds read caused by manipulation of the src.entries argument and is classified under CWE-119 and CWE-125.
The vulnerability can be exploited remotely by any unauthenticated attacker, requiring low complexity and user interaction, as indicated by its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). An attacker can achieve this by supplying a malicious AC3D file that a user or application processes, resulting in low impacts to confidentiality, integrity, and availability. The exploit has been disclosed to the public.
Advisories and further details are available in the referenced sources, including GitHub issues at https://github.com/assimp/assimp/issues/6017 and https://github.com/assimp/assimp/issues/6017#issue-2877374161, as well as VulDB entries at https://vuldb.com/?ctiid.300860, https://vuldb.com/?id.300860, and https://vuldb.com/?submit.517789.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is directly triggered by processing a malicious AC3D file supplied by an attacker, mapping to user execution via a malicious file (T1204.002). The OOB read in the file parser (with UI:R) enables this client-side exploitation path but does not indicate code execution or server-side remote exploitation without interaction.