CVE-2025-3159

EUVD-2025-9625

03.04.2025, 14:15

A vulnerability, which was classified as critical, was found in Open Asset Import Library Assimp 5.4.3. This affects the function Assimp::ASE::Parser::ParseLV4MeshBonesVertices of the file code/AssetLib/ASE/ASEParser.cpp of the component ASE File Handler. The manipulation leads to heap-based buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is e8a6286542924e628e02749c4f5ac4f91fdae71b. It is recommended to apply a patch to fix this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 12%

Affected Products (NVD)

Vendor	Product	Version
assimp	assimp	5.4.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

assimp

bookworm	no-dsa
bullseye	postponed
forky	6.0.5+ds-1 fixed
sid	6.0.5+ds-1 fixed
trixie	no-dsa

Red Hat Enterprise Linux Releases

Red Hat Product

Release

qt5-qt3d

RHEL 9

0:5.15.9-2.el9_6

fixed

qt5-qt3d-devel

RHEL 9

0:5.15.9-2.el9_6

fixed

qt5-qt3d-examples

RHEL 9

0:5.15.9-2.el9_6

fixed

Known Exploits!

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

https://github.com/assimp/assimp/issues/6024

https://github.com/assimp/assimp/issues/6024#issue-2877382033

https://github.com/assimp/assimp/pull/6051

https://github.com/tellypresence/assimp/commit/e8a6286542924e628e02749c4f5ac4f91fdae71b

https://vuldb.com/?ctiid.303105

https://vuldb.com/?id.303105

https://vuldb.com/?submit.542247