CVE-2025-6120

Name
CVE-2025-6120
Description
A vulnerability classified as critical was found in Open Asset Import Library Assimp up to 5.4.3. Affected by this vulnerability is the function read_meshes in the library assimp/code/AssetLib/MDL/HalfLife/HL1MDLLoader.cpp. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The project decided to collect all Fuzzer bugs in a main-issue to address them in the future.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
issue-tracking https://github.com/assimp/assimp/issues/6220
issue-tracking https://github.com/assimp/assimp/issues/6220#issuecomment-2945018579
exploit https://github.com/user-attachments/files/20605340/read_meshes_reproduce.tar.gz
signature https://vuldb.com/?ctiid.312589
vdb-entry https://vuldb.com/?id.312589
third-party-advisory https://vuldb.com/?submit.591235

Match rules

CPE URI Source package Min version Max version
assimp == 5.4.0 == 5.4.0
assimp == 5.4.1 == 5.4.1
assimp == 5.4.2 == 5.4.2
assimp == 5.4.3 == 5.4.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
assimp edge-community 5.4.3-r0 Russ Webber <russ@rw.id.au> possibly vulnerable
assimp 3.22-community 5.4.3-r0 Russ Webber <russ@rw.id.au> possibly vulnerable