Is there a public PoC exploit available for CVE-2025-11274?

Yes, a public proof-of-concept exploit is available for CVE-2025-11274. Prioritise patching immediately. EPSS: 0.0%.

Open Asset Import Library Assimp CVE-2025-11274

Q: What is the CVSS score of CVE-2025-11274?

CVE-2025-11274 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Uncontrolled Resource Consumption (CWE-400)

2025-10-05 cna@vuldb.com

Denial Of Service Assimp

1.9

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:31 vuln.today

DescriptionNVD

A vulnerability was determined in Open Asset Import Library Assimp 6.0.2. Affected is the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. This manipulation causes allocation of resources. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

Assimp 6.0.2 Q3D file parser mishandles resource allocation in the Q3DImporter::InternReadFile function, causing denial of service through uncontrolled memory consumption when processing malformed Q3D model files. A local authenticated attacker can trigger excessive memory allocation by providing a specially crafted Q3D file, leading to process crash or system resource exhaustion. Publicly available exploit code exists, though CVSS 1.9 and EPSS 0.03% indicate minimal real-world exploitation risk.

Technical ContextAI

Assimp is a widely-used open-source 3D model import library supporting dozens of file formats including Q3D (Quake3 Arena model format). The vulnerability resides in the Q3DLoader.cpp parser component, specifically the InternReadFile function responsible for deserializing Q3D binary/text data into memory structures. CWE-400 (uncontrolled resource consumption) indicates insufficient validation of file-provided size fields or array dimensions before allocation, allowing an attacker to cause the parser to request enormous memory blocks. The Q3D format likely contains fields specifying mesh dimensions, vertex counts, or texture sizes that are not validated before being used in malloc/new calls, enabling a resource exhaustion attack vector.

RemediationAI

Upgrade to a patched version of Assimp if available from the upstream repository (https://github.com/assimp/assimp). At time of analysis, exact fix version numbers are not provided in available data; check the GitHub repository's releases page and issue #6356 for confirmation of a patched version. Until a patch is available or applicable, implement input validation: disable Q3D format loading in Assimp if not required for your application (most Assimp installations do not require Q3D support), or restrict Assimp's file processing to run with memory limits using OS-level resource controls (ulimit on Linux, Job Objects on Windows) to cap virtual memory and prevent system-wide exhaustion. If Assimp is exposed via a web service or batch processing system, enforce a timeout on parsing operations and validate incoming files against known Q3D specifications before passing them to the parser.

CVE-2025-11274 vulnerability details – vuln.today

Back