Skip to main content
CVE Vulnerability Database

CVE-2025-2591: Assimp Divide by Zero DoS Vulnerability

CVE-2025-2591 is a divide by zero denial of service vulnerability in Open Asset Import Library Assimp 5.4.3. Attackers can exploit this flaw remotely to disrupt service. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-2591 Overview

CVE-2025-2591 is a divide-by-zero vulnerability [CWE-369] in the Open Asset Import Library (Assimp) version 5.4.3. The flaw resides in the MDLImporter::InternReadFile_Quake1 function within code/AssetLib/MDL/MDLLoader.cpp. Attacker-controlled skinwidth and skinheight values in a crafted Quake1 MDL file trigger the divide-by-zero condition during model import. The issue causes a denial-of-service condition in any application that embeds Assimp for 3D asset loading. The exploit details have been publicly disclosed, and a patch is available in commit ab66a1674fcfac87aaba4c8b900b315ebc3e7dbd.

Critical Impact

Remote attackers can crash any application that uses Assimp 5.4.3 to parse untrusted MDL files by supplying a malformed model with zero-valued skin dimension fields.

Affected Products

  • Open Asset Import Library (Assimp) 5.4.3
  • Applications and game engines embedding the vulnerable Assimp release
  • Content pipelines and asset converters relying on the Quake1 MDL importer

Discovery Timeline

  • 2025-03-21 - CVE-2025-2591 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-2591

Vulnerability Analysis

Assimp is a widely used open-source library for importing and exporting 3D model formats. The vulnerability exists in the Quake1 MDL importer, which parses skin metadata during model loading. The importer reads skinwidth and skinheight fields directly from the input file without validating they are non-zero. Subsequent arithmetic operations divide by these attacker-controlled fields, triggering an unhandled divide-by-zero exception. The result is an immediate process crash in the host application. Because Assimp is embedded in numerous rendering engines, game clients, and asset conversion tools, any workflow that ingests third-party MDL files inherits this exposure.

Root Cause

The root cause is missing input validation on the skinwidth and skinheight header fields inside MDLImporter::InternReadFile_Quake1. The importer trusts values supplied by the file and uses them as divisors without a non-zero check. This is a classic [CWE-369] Divide By Zero defect where user-controlled input reaches an arithmetic operator without sanitization.

Attack Vector

An attacker crafts a malicious Quake1 MDL file with skinwidth or skinheight set to zero. The file is delivered to the victim through any channel that feeds Assimp — an in-game asset download, a shared 3D model, an email attachment for a modeling tool, or an automated content pipeline. When Assimp parses the file, the arithmetic exception terminates the host process. Exploitation requires user interaction to open or import the file, but no privileges or authentication are required. The EPSS score is 0.6% with a percentile of 44.6, reflecting a low but non-negligible likelihood of exploitation attempts.

No verified public proof-of-concept code is available. See the Assimp GitHub issue #6009 for reporter-supplied reproduction details.

Detection Methods for CVE-2025-2591

Indicators of Compromise

  • Unexpected process termination in applications that call the Assimp MDL importer, particularly when handling user-supplied 3D models.
  • Crash dumps referencing MDLImporter::InternReadFile_Quake1 in the faulting stack frame.
  • MDL files whose header fields skinwidth or skinheight equal zero.

Detection Strategies

  • Inspect binaries and package manifests for Assimp version 5.4.3 across build systems, containers, and shipped applications.
  • Add a pre-parse validation step in asset pipelines that rejects MDL files with zero-valued skin dimensions.
  • Correlate application crash telemetry with recent MDL or 3D asset imports to surface potential exploitation attempts.

Monitoring Recommendations

  • Monitor for repeated crashes of graphics or content-processing services following file-import operations.
  • Log the hashes and origins of MDL files processed by server-side asset converters for retrospective analysis.
  • Track third-party dependency inventories via Software Bill of Materials (SBOM) tooling to flag vulnerable Assimp releases.

How to Mitigate CVE-2025-2591

Immediate Actions Required

  • Identify every product and internal tool that links against Assimp 5.4.3 and prioritize those exposed to untrusted input.
  • Apply the upstream fix from commit ab66a1674fcfac87aaba4c8b900b315ebc3e7dbd or upgrade to a release that incorporates pull request #6047.
  • Disable the Quake1 MDL importer in Assimp configurations where the format is not required.

Patch Information

The Assimp maintainers merged the fix in pull request #6047, identified by commit hash ab66a1674fcfac87aaba4c8b900b315ebc3e7dbd. The patch adds validation of the skinwidth and skinheight fields before they are used as divisors in MDLImporter::InternReadFile_Quake1. Rebuild downstream applications against a patched Assimp build to remediate the issue.

Workarounds

  • Restrict MDL imports to trusted sources until the patched library version is deployed.
  • Sandbox asset-processing workloads so that a crash in the importer does not disrupt the host application or service.
  • Add a wrapper around Assimp calls that pre-parses MDL headers and rejects files with zero-valued skinwidth or skinheight fields.
bash
# Example: rebuild Assimp from source with the upstream fix applied
git clone https://github.com/assimp/assimp.git
cd assimp
git checkout ab66a1674fcfac87aaba4c8b900b315ebc3e7dbd
cmake -S . -B build -DBUILD_SHARED_LIBS=ON
cmake --build build --config Release

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.