Cyber Posture

CVE-2025-70069

High

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0011 28.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp and ConvertMeshMultiMaterial() method

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-10 Concurrent Session Control
addresses: CWE-400 CWE-770

Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.

CP-4 Contingency Plan Testing
addresses: CWE-400 CWE-770

Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.

CP-5 Contingency Plan Update
addresses: CWE-400 CWE-770

Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.

CP-7 Alternate Processing Site
addresses: CWE-400 CWE-770

Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.

CP-8 Telecommunications Services
addresses: CWE-400 CWE-770

Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.

PL-6 Security-related Activity Planning
addresses: CWE-400 CWE-770

Planning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption.

PM-6 Measures of Performance
addresses: CWE-400 CWE-770

Performance metrics and monitoring inherently track resource consumption patterns, making uncontrolled consumption easier to detect and mitigate.

SC-10 Network Disconnect
addresses: CWE-400 CWE-770

Terminating idle connections bounds resource consumption that would otherwise allow uncontrolled accumulation of open sessions.

Security SummaryAI

CVE-2025-70069 is a denial-of-service vulnerability in Assimp version 6.0.2, an open-source library for processing 3D model formats. The issue resides in the FBXConverter.cpp file, specifically the ConvertMeshMultiMaterial() method, which triggers uncontrolled resource consumption as indicated by associated CWEs-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability has a CVSS v3.1 base score of 7.5, reflecting high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and significant impact on availability with no effects on confidentiality or integrity.

A remote attacker can exploit this vulnerability without authentication by supplying a specially crafted FBX file to an application using the affected Assimp version for 3D model import. Successful exploitation leads to denial of service, such as application crashes or excessive resource exhaustion on the targeted system, potentially disrupting services that rely on Assimp for asset loading in games, 3D rendering tools, or modeling software.

For mitigation details, refer to the official Assimp website at http://assimp.com and the proof-of-concept at https://gist.github.com/GunP4ng/9080ae7f0470c889a59cc3bfca445223, which may include patch information or advisories.

Details

CWE(s)
CWE-400CWE-770

References