CVE-2025-11275
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in Open Asset Import Library Assimp 6.0.2. Affected by this vulnerability is the function ODDLParser::getNextSeparator in the library assimp/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11275
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
assimp assimp 6.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11275 is a heap-based buffer overflow vulnerability in Open Asset Import Library (Assimp) version 6.0.2. It occurs in the function ODDLParser::getNextSeparator, where the input pointer can be advanced beyond the allocated buffer boundary before being processed. This causes the function to dereference memory outside the intended heap buffer, leading to memory corruption. The vulnerability arises from improper pointer boundary checks in parsing functions that manipulate the input pointer incorrectly. Exploitation requires local access, and a proof-of-concept exploit is publicly available. [1, 2, 3]

Impact Analysis

This vulnerability can compromise the confidentiality, integrity, and availability of the affected system by allowing an attacker with local access to cause heap memory corruption. This could lead to crashes, data corruption, or potentially arbitrary code execution depending on the exploit. Since the exploit is publicly available and easy to execute locally, it poses a moderate security risk to systems using the vulnerable Assimp library version 6.0.2. [1]

Detection Guidance

This vulnerability can be detected by running a fuzzer or testing the Assimp library's OpenDDL parser with crafted input files that attempt to trigger the heap-buffer-overflow. Specifically, using AddressSanitizer (ASan) or UndefinedBehaviorSanitizer (UBSan) during compilation and execution can help detect the overflow. For example, running a fuzzer command like `./assimp_fuzzer poc` (where `poc` is a proof-of-concept crafted input file) can trigger the vulnerability and cause a crash with an ASan report indicating the heap-buffer-overflow. Debugging tools like GDB can also be used to analyze crashes and confirm the overflow in the function `ODDLParser::getNextSeparator`. [2, 3]

Mitigation Strategies

There are no known countermeasures or mitigations currently identified for this vulnerability. The suggested immediate step is to consider replacing the affected Assimp library version 6.0.2 with an alternative product or a patched version once available. Additionally, restricting local access to trusted users only can reduce the risk since the exploit requires local privileges. Monitoring for updates from the Assimp project and applying patches promptly when released is also recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11275. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart