CVE-2025-3015
Published: 31 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-3015 is a vulnerability in the Open Asset Import Library (Assimp) version 5.4.3 that enables an out-of-bounds read. It affects the Assimp::ASEImporter::BuildUniqueRepresentation function within the file code/AssetLib/ASE/ASELoader.cpp, specifically the ASE File Handler component. The issue arises from manipulation of the mIndices argument, classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by an attacker who tricks a user into processing a specially crafted ASE file, as it requires user interaction but no privileges. Successful exploitation leads to limited impacts on confidentiality, integrity, and availability, such as potential information disclosure or denial of service through memory corruption. The exploit has been publicly disclosed and may be used in attacks against applications that rely on Assimp for ASE file parsing.
Mitigation involves upgrading to Assimp version 6.0, which addresses the issue. A specific patch is available at commit 7c705fde418d68cca4e8eff56be01b2617b0d6fe, and applying it is recommended. Additional details are documented in Assimp GitHub issues #6021 and pull request #6045, along with the VulDB entry.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Out-of-bounds read (CWE-125) in Assimp ASE file handler exploitable remotely via malformed ASE file with user interaction (e.g., loading in vulnerable client apps), enabling code execution via client-side software vulnerability.