Skip to main content

Open Asset Import Library Assimp CVE-2025-11275

LOW
Buffer Overflow (CWE-119)
2025-10-05 cna@vuldb.com
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:51 vuln.today

DescriptionCVE.org

A vulnerability was identified in Open Asset Import Library Assimp 6.0.2. Affected by this vulnerability is the function ODDLParser::getNextSeparator in the library assimp/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used.

AnalysisAI

Heap-based buffer overflow in Open Asset Import Library Assimp 6.0.2 affects the ODDLParser::getNextSeparator function in OpenDDLParserUtils.h, allowing local attackers with low privileges to cause limited memory corruption. The vulnerability has a CVSS score of 1.9 with low confidentiality, integrity, and availability impact; however, publicly available exploit code exists and EPSS indicates minimal real-world exploitation probability (0.02% percentile 6%), suggesting this is a low-risk issue in practice despite the buffer overflow designation.

Technical ContextAI

The vulnerability exists in the Open Asset Import Library (Assimp), a widely-used 3D model import library that processes various 3D asset file formats. Specifically, the flaw is in the OpenDDL (Open Data Definition Language) parser component, contained in the openddlparser submodule within assimp/contrib. The ODDLParser::getNextSeparator function in OpenDDLParserUtils.h fails to properly validate buffer boundaries when parsing OpenDDL format files, resulting in a classic heap-based buffer overflow (CWE-119). This is a memory safety issue where input validation lacks sufficient bounds checking, potentially allowing malicious or malformed OpenDDL files to write beyond allocated heap memory boundaries.

RemediationAI

Upgrade Open Asset Import Library Assimp to the latest available version beyond 6.0.2; exact patched version confirmation requires checking the official Assimp GitHub repository releases page. Immediately verify patch availability at github.com/assimp/assimp/releases. If upgrade is not immediately feasible, apply network-level mitigations: restrict file upload functionality that processes OpenDDL format files (.oddl extension) to trusted sources only, disable OpenDDL parser if not required for your application, and validate input files against schema before parsing. Monitor memory sanitizer logs (AddressSanitizer, Valgrind) if running in development environments to detect heap corruption attempts. The trade-off of restricting file uploads may impact functionality; ensure testing confirms no legitimate OpenDDL workflows are blocked.

More in Assimp

View all
CVE-2024-48423 HIGH POC
7.8 Oct 24

An issue in assimp v.5.4.3 allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function wi

CVE-2022-38528 MEDIUM POC
6.5 Sep 06

Open Asset Import Library (assimp) commit 3c253ca was discovered to contain a segmentation violation via the component A

CVE-2024-53425 MEDIUM POC
6.2 Nov 21

A heap-buffer-overflow vulnerability was discovered in the SkipSpacesAndLineEnd function in Assimp v5.4.3. Rated medium

CVE-2024-48426 MEDIUM POC
6.2 Oct 24

A segmentation fault (SEGV) was detected in the SortByPTypeProcess::Execute function in the Assimp library during fuzz t

CVE-2024-48425 MEDIUM POC
5.5 Oct 24

A segmentation fault (SEGV) was detected in the Assimp::SplitLargeMeshesProcess_Triangle::UpdateNode function within the

CVE-2024-48424 MEDIUM POC
5.5 Oct 24

A heap-buffer-overflow vulnerability has been identified in the OpenDDLParser::parseStructure function within the Assimp

CVE-2025-3016 MEDIUM POC
5.3 Mar 31

A vulnerability classified as problematic was found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (CV

CVE-2025-2752 MEDIUM POC
5.3 Mar 25

A vulnerability was found in Open Asset Import Library Assimp 5.4.3 and classified as problematic.h of the component CSM

CVE-2025-3015 MEDIUM POC
5.3 Mar 31

A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (

CVE-2025-2592 MEDIUM POC
5.3 Mar 21

A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3.cpp. Rated m

CVE-2025-2757 MEDIUM POC
5.3 Mar 25

A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (CVSS

CVE-2025-2756 MEDIUM POC
5.3 Mar 25

A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. Rated medium severity (

Share

CVE-2025-11275 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy