What is the CVSS score of CVE-2025-70067?

CVE-2025-70067 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Assimp are affected by CVE-2025-70067?

Assimp 3D model library versions up to 6.0.2 contain a critical heap buffer overflow in FBX file processing that enables remote code execution when handling malicious model files.. A patch is available.

How to fix or mitigate CVE-2025-70067?

Within 24 hours: Inventory all applications and services using Assimp library (check build manifests, dependency declarations, and running processes); disable or restrict FBX file upload/import functionality where feasible. Within 7 days: Implement file validation-reject FBX files exceeding expected size thresholds and run files through sandboxed processing environments; contact Assimp maintainers for patch timeline. Within 30 days: Upgrade to Assimp 6.1.0 or later once patches are released; if unavailable, evaluate and migrate to alternative 3D model libraries (e.g., Babylon.js, Three.js) if business requirements permit.

Assimp CVE-2025-70067

EUVD-2025-209616 CRITICAL

Heap-based Buffer Overflow (CWE-122)

2026-05-04 mitre

Buffer Overflow Heap Overflow Red Hat Suse

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 05, 2026 - 16:22 vuln.today

CVSS changed

May 05, 2026 - 16:22 NVD

9.8 (CRITICAL)

EUVD ID Assigned

May 04, 2026 - 14:15 euvd

EUVD-2025-209616

CVE Published

May 04, 2026 - 00:00 nvd

N/A

DescriptionNVD

Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in the FBX Importer. The vulnerability occurs in aiMaterial::AddBinaryProperty, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation

AnalysisAI

Heap buffer overflow in Assimp's FBX importer allows remote code execution when processing malicious FBX files. The vulnerability affects Assimp versions up to 6.0.2 through unsafe strcpy() operations in aiMaterial::AddBinaryProperty, enabling attackers to achieve arbitrary code execution with high CVSS severity (9.8). A proof-of-concept exploit is publicly available via GitHub Gist, though EPSS indicates only 0.02% exploitation probability and no CISA KEV listing exists, suggesting limited active exploitation despite the theoretical severity.

Technical ContextAI

Assimp (Open Asset Import Library) is a widely-used C++ library for importing various 3D model formats including FBX (Filmbox). The vulnerability stems from CWE-122 (heap-based buffer overflow) in the FBX import pipeline, specifically within aiMaterial::AddBinaryProperty function. When parsing FBX files, property key strings are copied into fixed-size heap buffers using strcpy() - a classic unsafe C string function that performs no bounds checking. An attacker-crafted FBX file with oversized property key strings triggers the overflow, allowing heap memory corruption. This represents a fundamental memory safety issue common in legacy C/C++ codebases handling untrusted file formats, where parser code predates modern memory-safe practices.

RemediationAI

Upgrade to Assimp version 6.0.3 or later once available, monitoring the official GitHub repository at github.com/assimp/assimp for patched releases addressing this buffer overflow. As of analysis time, no officially tagged fix version is confirmed in available data sources. Until patches are deployed, implement defense-in-depth controls: disable FBX import functionality if not business-critical (Assimp supports 40+ formats, consider restricting to safer alternatives like glTF); validate and sanitize FBX files before processing using file format validators; process untrusted FBX files in sandboxed environments with limited privileges (containers, VMs, capability-restricted processes); implement file size limits and timeout controls on import operations to constrain exploitation window; enable memory protection mechanisms like ASLR, DEP, and heap integrity checks in the runtime environment. Note that disabling FBX support may break workflows dependent on Autodesk ecosystem file exchange. For server-side implementations, consider moving FBX processing to isolated worker services with no network access to limit post-exploitation lateral movement. Monitor vendor advisory channels and apply patches immediately upon release given public POC availability.