CVE-2025-2592

Name	CVE-2025-2592
Description	A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3. This issue affects the function CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is named 2690e354da0c681db000cfd892a55226788f2743. It is recommended to apply a patch to fix this issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1102222

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
assimp (PTS)	bullseye	5.0.1~ds0-2	vulnerable
	bookworm	5.2.5~ds0-1	vulnerable
	sid, trixie	5.4.3+ds-2	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
assimp	source	(unstable)	(unfixed)			1102222

Notes

[bookworm] - assimp <no-dsa> (Minor issue)
[bullseye] - assimp <postponed> (Minor issue)
https://github.com/assimp/assimp/issues/6010
https://github.com/assimp/assimp/pull/6052
Fixed by: https://github.com/assimp/assimp/commit/2690e354da0c681db000cfd892a55226788f2743