CVE-2025-15666 Overview
CVE-2025-15666 is a heap-based buffer overflow vulnerability in Open Asset Import Library (Assimp) versions up to 5.4.3. The flaw resides in the Assimp::SceneCombiner::Copy function within code/Common/SceneCombiner.cpp, part of the Model File Handler component. Manipulation of the width/height arguments triggers memory corruption on the heap [CWE-119]. The issue requires local access and low privileges to exploit. Public disclosure of the exploit has occurred, though no in-the-wild exploitation is confirmed. The defect is tracked by the Assimp project through issue #6128.
Critical Impact
Local attackers with low privileges can trigger heap-based buffer corruption in applications processing untrusted 3D model files through Assimp, potentially leading to memory disclosure or process crashes.
Affected Products
- Open Asset Import Library (Assimp) versions up to and including 5.4.3
- Applications embedding the vulnerable Assimp library for 3D model parsing
- Downstream projects consuming SceneCombiner.cpp from affected releases
Discovery Timeline
- 2026-07-01 - CVE-2025-15666 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2025-15666
Vulnerability Analysis
Assimp is a widely used open-source library for importing and processing 3D asset formats. The vulnerability lives in Assimp::SceneCombiner::Copy, a routine that duplicates scene objects during model merging operations. When the function processes attacker-controlled width and height values from a malformed model file, it fails to correctly validate the resulting allocation size against the buffer used for copying. This mismatch produces a heap-based buffer overflow, corrupting adjacent heap metadata or data structures. Because Assimp is embedded in game engines, 3D modeling tools, and asset pipelines, a crafted model file processed locally by such an application triggers the flaw. The public disclosure of exploitation details raises the practical risk for tooling that automatically imports untrusted assets.
Root Cause
The root cause is inadequate bounds checking on the width and height arguments before performing a heap copy operation inside SceneCombiner::Copy. The function trusts dimensional metadata parsed from the input model file without enforcing sane upper limits or validating that the destination buffer accommodates the copy length. This maps to CWE-119, improper restriction of operations within the bounds of a memory buffer.
Attack Vector
Exploitation requires local access with low privileges. An attacker delivers a specially crafted model file that a victim application processes through Assimp. When SceneCombiner::Copy executes on the malicious scene data, the crafted width/height values drive an out-of-bounds heap write. Practical outcomes include process termination, memory disclosure through corrupted state, or, depending on heap layout and target binary hardening, controlled memory corruption.
No verified proof-of-concept code has been published for direct inclusion. Technical discussion of the defect class is available in the Assimp GitHub Issue Discussion and the VulDB CVE Analysis.
Detection Methods for CVE-2025-15666
Indicators of Compromise
- Unexpected crashes or SIGSEGV/SIGABRT events in processes that embed Assimp when opening 3D model files
- Heap corruption reports from AddressSanitizer or Application Verifier during Assimp model imports
- Model files with anomalously large or malformed width/height fields not consistent with the declared format
Detection Strategies
- Inventory applications, containers, and build pipelines linking against Assimp 5.4.3 or earlier and flag them for review
- Run Assimp with AddressSanitizer or similar heap instrumentation in test and CI environments to catch overflow conditions in SceneCombiner::Copy
- Sandbox model import operations and log abnormal termination signals from processes that parse untrusted assets
Monitoring Recommendations
- Alert on repeated crashes of 3D asset tools, game engines, or CAD software correlated with recently imported files
- Track file provenance for 3D models entering asset pipelines and require review of externally sourced content
- Monitor package manifests (vcpkg, Conan, apt, distribution SBOMs) for Assimp versions at or below 5.4.3
How to Mitigate CVE-2025-15666
Immediate Actions Required
- Identify all first-party and third-party applications that statically or dynamically link Assimp
- Restrict processing of untrusted 3D model files to sandboxed or containerized environments
- Remove or gate automated import workflows that accept externally supplied model files without validation
Patch Information
At the time of publication, no fixed release version is listed in the NVD record for CVE-2025-15666. The defect is tracked upstream through Assimp issue #6128, with related discussion in Assimp Issue #6079. Consumers should monitor the Assimp repository for a corrected release incorporating bounds validation on width/height in SceneCombiner::Copy, then rebuild and redistribute dependent binaries. Refer to the VulDB Vulnerability Details for tracking updates.
Workarounds
- Disable or block import of file formats that exercise the SceneCombiner::Copy code path when they are not required
- Enforce strict pre-parsing validation of model file dimensions and reject files with unrealistic width or height values
- Run applications that process untrusted models under a least-privilege user account with reduced filesystem and network access
- Enable compiler and OS hardening features such as heap integrity checks, ASLR, and stack canaries in downstream builds
# Configuration example
# Identify installed Assimp version on Linux systems
dpkg -l | grep -i assimp
ldconfig -p | grep -i assimp
# Search source or build trees for vulnerable file
grep -RIn "SceneCombiner::Copy" /path/to/source
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

