CVE-2025-6120

EUVD-2025-18386

16.06.2025, 12:15

A vulnerability classified as critical was found in Open Asset Import Library Assimp up to 5.4.3. Affected by this vulnerability is the function read_meshes in the library assimp/code/AssetLib/MDL/HalfLife/HL1MDLLoader.cpp. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The project decided to collect all Fuzzer bugs in a main-issue to address them in the future.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
assimp	assimp	𝑥 ≤ 5.4.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

assimp

bookworm	vulnerable
bullseye	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

assimp

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	ignored
plucky	ignored
questing	needs-triage
xenial	needs-triage

Known Exploits!

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

https://github.com/assimp/assimp/issues/6220

https://github.com/assimp/assimp/issues/6220#issuecomment-2945018579

https://github.com/user-attachments/files/20605340/read_meshes_reproduce.tar.gz

https://vuldb.com/?ctiid.312589

https://vuldb.com/?id.312589

https://vuldb.com/?submit.591235