CVE-2025-2757

A critical heap-based buffer overflow vulnerability, designated CVE-2025-2757, affects Open Asset Import Library (Assimp) version 5.4.3. The issue resides in the AI_MD5_PARSE_STRING_IN_QUOTATION function within the file code/AssetLib/MD5/MD5Parser.cpp, part of the MD5 File Handler component. Manipulation of the argument data triggers the overflow, as classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow). The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) and was published on 2025-03-25.

Attackers can exploit this vulnerability remotely without privileges by tricking users into processing malicious input, such as a specially crafted MD5 file, due to the requirement for user interaction. Successful exploitation enables limited impacts: low confidentiality (partial disclosure of sensitive data), low integrity (minor modification of data), and low availability (partial denial of service via crash or resource consumption).

Advisories and discussions, including GitHub issues at https://github.com/assimp/assimp/issues/6019 and https://github.com/assimp/assimp/issues/6019#issue-2877376386, along with VulDB entries at https://vuldb.com/?ctiid.300862, https://vuldb.com/?id.300862, and https://vuldb.com/?submit.517817, provide details on the flaw. The exploit has been publicly disclosed and may be available for use, though specific patch status or mitigation steps are outlined in these references.