CVE-2025-8854
BaseFortify
Publication date: 2025-08-11
Last updated on: 2025-12-08
Assigner: CyberArk Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bulletphysics | pybullet | to 3.25 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stack-based buffer overflow in the LoadOFF function of the bullet3 project's VHACD utility. It occurs because the code reads an unbounded string from a crafted OFF file into a fixed-size stack buffer using fscanf with the "%s" format specifier, which does not limit input length. An attacker can create an OFF file with an initial token longer than the buffer size (1024 bytes), causing the buffer to overflow. This overflow can lead to a crash or potentially allow arbitrary code execution depending on the environment. [1]
How can this vulnerability impact me? :
If you use the bullet3 VHACD utility or the PyBullet vhacd function to process OFF files, an attacker could exploit this vulnerability by providing a specially crafted OFF file with an excessively long initial token. This could cause the application to crash or, in the worst case, allow the attacker to execute arbitrary code on your system, potentially compromising system integrity and security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the VHACD utility or PyBullet's vhacd function with a crafted OFF file containing an excessively long initial token (over 1023 characters without spaces). Running the VHACD tool or invoking pybullet.vhacd() with such a file should cause a crash if vulnerable. There are no specific network detection commands provided. For example, you can create an OFF file with a very long first token and run: `./VHACD path_to_crafted.off` or use a Python script to call `pybullet.vhacd()` with the crafted file to observe if a crash occurs. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the suggested code fix to the LoadOFF function by replacing the unbounded fscanf call with a bounded one to limit input size, specifically changing `fscanf(fid, "%s", temp);` to `if (fscanf(fid, "%1023s", temp) != 1) { fclose(fid); return false; }`. Until a patched version is available, avoid processing untrusted OFF files with VHACD or pybullet.vhacd(). [1]