CVE-2025-70067
Deferred Deferred - Pending Action
Buffer Overflow in Assimp FBX Importer

Publication date: 2026-05-04

Last updated on: 2026-05-05

Assigner: MITRE

Description
Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in the FBX Importer. The vulnerability occurs in aiMaterial::AddBinaryProperty, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70067
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
assimp assimp to 6.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability occurs when a maliciously crafted FBX file is imported using Assimp version 6.0.2 or earlier. Detection involves identifying if such files are processed by vulnerable versions of Assimp.

Since the issue is triggered by importing a crafted FBX file, one detection approach is to monitor or audit the use of Assimp in your environment, especially the import of FBX files.

There are no specific commands provided in the available resources to detect exploitation attempts or vulnerable usage directly.

Mitigation Strategies

Immediate mitigation involves preventing the import of malicious FBX files using vulnerable versions of Assimp (up to 6.0.2).

Avoid using unsafe string-copy functions like strcpy() without runtime length validation in your own code if you maintain or modify Assimp.

Apply runtime length validation to reject or truncate property keys longer than the buffer capacity.

Monitor for updates or patches from the Assimp project that address this vulnerability and apply them as soon as they become available.

Executive Summary

This vulnerability is a buffer overflow in Assimp versions up to 6.0.2, specifically in the FBX Importer component. It occurs in the function aiMaterial::AddBinaryProperty, where a property key string from a specially crafted FBX file is copied into a fixed-size heap buffer using the strcpy() function without checking the length of the input. This lack of length validation can cause memory corruption.

Impact Analysis

The buffer overflow can lead to memory corruption, which may allow an attacker to execute arbitrary code, crash the application, or cause denial of service when processing malicious FBX files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart