CVE-2025-3548

NameCVE-2025-3548
DescriptionA vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp up to 5.4.3. This issue affects the function aiString::Set in the library include/assimp/types.h of the component File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1103443

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
assimp (PTS)bullseye5.0.1~ds0-2vulnerable
bookworm5.2.5~ds0-1vulnerable
sid, trixie5.4.3+ds-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
assimpsource(unstable)(unfixed)1103443

Notes

[bookworm] - assimp <no-dsa> (Minor issue)
https://github.com/assimp/assimp/issues/6068
https://github.com/assimp/assimp/pull/6073
Fixed by: https://github.com/assimp/assimp/commit/0ae66d27039481dc2a507bbc8482f691037c1a5a
Search for package or bug name: Reporting problems