CVE-2025-5200

A vulnerability was found in Open Asset Import Library Assimp 5.4.3 and classified as problematic. This issue affects the function MDLImporter::InternReadFile_Quake1 of the file assimp/code/AssetLib/MDL/MDLLoader.cpp. The manipulation leads to out-of-bounds read. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The project decided to collect all Fuzzer bugs in a main-issue to address them in the future.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
VulDBCNA
3.3 LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
VendorProductVersion
assimpassimp
𝑥
< 5.4.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
assimp
bullseye
postponed
trixie
postponed
bookworm
postponed
sid
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
assimp
plucky
needs-triage
oracular
ignored
noble
needs-triage
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/assimp/assimp/issues/6128
https://github.com/assimp/assimp/issues/6172
https://github.com/user-attachments/files/20208985/line-452-reproducer.zip
https://vuldb.com/?ctiid.310289
https://vuldb.com/?id.310289
https://vuldb.com/?submit.578005
https://github.com/assimp/assimp/issues/6172