CVE-2025-11275
BaseFortify
Publication date: 2025-10-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| assimp | assimp | 6.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11275 is a heap-based buffer overflow vulnerability in Open Asset Import Library (Assimp) version 6.0.2. It occurs in the function ODDLParser::getNextSeparator, where the input pointer can be advanced beyond the allocated buffer boundary before being processed. This causes the function to dereference memory outside the intended heap buffer, leading to memory corruption. The vulnerability arises from improper pointer boundary checks in parsing functions that manipulate the input pointer incorrectly. Exploitation requires local access, and a proof-of-concept exploit is publicly available. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can compromise the confidentiality, integrity, and availability of the affected system by allowing an attacker with local access to cause heap memory corruption. This could lead to crashes, data corruption, or potentially arbitrary code execution depending on the exploit. Since the exploit is publicly available and easy to execute locally, it poses a moderate security risk to systems using the vulnerable Assimp library version 6.0.2. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running a fuzzer or testing the Assimp library's OpenDDL parser with crafted input files that attempt to trigger the heap-buffer-overflow. Specifically, using AddressSanitizer (ASan) or UndefinedBehaviorSanitizer (UBSan) during compilation and execution can help detect the overflow. For example, running a fuzzer command like `./assimp_fuzzer poc` (where `poc` is a proof-of-concept crafted input file) can trigger the vulnerability and cause a crash with an ASan report indicating the heap-buffer-overflow. Debugging tools like GDB can also be used to analyze crashes and confirm the overflow in the function `ODDLParser::getNextSeparator`. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
There are no known countermeasures or mitigations currently identified for this vulnerability. The suggested immediate step is to consider replacing the affected Assimp library version 6.0.2 with an alternative product or a patched version once available. Additionally, restricting local access to trusted users only can reduce the risk since the exploit requires local privileges. Monitoring for updates from the Assimp project and applying patches promptly when released is also recommended. [1]