Which versions of Open Asset Import Library Assimp are affected by CVE-2025-6120?

Organizations using Open Asset Import Library Assimp should be aware of moderate risk from CVE-2025-6120, a buffer overflow vulnerability rated CVSS 5.3.. A patch is available.

Is there a public PoC exploit available for CVE-2025-6120?

Yes, a public proof-of-concept exploit is available for CVE-2025-6120. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-6120?

Within 30 days: Identify affected systems running Open Asset Import Library Assimp and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Open Asset Import Library Assimp CVE-2025-6120

Q: What is the CVSS score of CVE-2025-6120?

CVE-2025-6120 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2025-18386 LOW

Buffer Overflow (CWE-119)

2025-06-16 cna@vuldb.com

Buffer Overflow

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Ubuntu

MEDIUM

qualitative

SUSE

4.3 MEDIUM

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Red Hat

5.3 MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.3 (MEDIUM) 1.9 (LOW)

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18386

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

PoC Detected

Jun 17, 2025 - 19:37 vuln.today

Public exploit code

CVE Published

Jun 16, 2025 - 12:15 nvd

MEDIUM 5.3

DescriptionCVE.org

A vulnerability classified as critical was found in Open Asset Import Library Assimp up to 5.4.3. Affected by this vulnerability is the function read_meshes in the library assimp/code/AssetLib/MDL/HalfLife/HL1MDLLoader.cpp. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The project decided to collect all Fuzzer bugs in a main-issue to address them in the future.

Analysis

Vendor StatusVendor

Ubuntu

Priority: Medium

assimp

Release	Status	Version
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
upstream	needs-triage	-
plucky	ignored	end of life, was needs-triage
oracular	ignored	end of life, was needs-triage
questing	needs-triage	-

Debian

Bug #1107936

assimp

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	5.0.1~ds0-2	-
bookworm	vulnerable	5.2.5~ds0-1	-
trixie	vulnerable	5.4.3+ds-2	-
forky, sid	vulnerable	6.0.4+ds-1	-
(unstable)	fixed	(unfixed)	-

SUSE

Severity: Medium

Product	Status
SUSE Linux Enterprise Server 16.1	Fixed
SUSE Linux Enterprise Server for SAP applications 16.1	Fixed

CVE-2025-6120 vulnerability details – vuln.today

Back

Open Asset Import Library Assimp CVE-2025-6120

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Analysis

Vendor StatusVendor

Ubuntu

Debian

SUSE

Share

External POC / Exploit Code