CVE-2025-2592

NameCVE-2025-2592
DescriptionA vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3. This issue affects the function CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is named 2690e354da0c681db000cfd892a55226788f2743. It is recommended to apply a patch to fix this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
assimp (PTS)bullseye5.0.1~ds0-2vulnerable
bookworm5.2.5~ds0-1vulnerable
sid, trixie5.4.3+ds-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
assimpsource(unstable)(unfixed)

Notes

[bookworm] - assimp <no-dsa> (Minor issue)
[bullseye] - assimp <postponed> (Minor issue)
https://github.com/assimp/assimp/issues/6010
https://github.com/assimp/assimp/pull/6052
Fixed by: https://github.com/assimp/assimp/commit/2690e354da0c681db000cfd892a55226788f2743
Search for package or bug name: Reporting problems