CVE-2025-70067: Assimp FBX Buffer Overflow Vulnerability

CVE-2025-70067 Overview

CVE-2025-70067 is a heap buffer overflow [CWE-122] in Open Asset Import Library (Assimp) versions up to 6.0.2. The flaw resides in the FBX Importer, specifically within the aiMaterial::AddBinaryProperty function. A property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation. Applications that consume untrusted FBX assets through Assimp inherit this exposure, including 3D engines, modeling tools, and asset pipelines. Attackers can trigger memory corruption by supplying a malicious FBX file, potentially leading to arbitrary code execution in the host process.

Critical Impact

A network-reachable attacker can achieve remote code execution by delivering a crafted FBX file to any application linking vulnerable Assimp builds.

Affected Products

• Assimp (Open Asset Import Library) versions up to and including 6.0.2
• Applications and engines bundling vulnerable Assimp builds for FBX import
• Asset pipelines and tooling that process untrusted FBX files via Assimp

Discovery Timeline

• 2026-05-04 - CVE-2025-70067 published to NVD
• 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2025-70067

Vulnerability Analysis

Assimp parses FBX files through its dedicated FBX Importer. During material property processing, the importer constructs binary properties via aiMaterial::AddBinaryProperty. This routine copies the property key string into a fixed-size heap-allocated buffer using strcpy(). Because strcpy() terminates only at a null byte, the destination buffer size is never compared against the source length. A crafted FBX file containing an oversized property key writes past the buffer boundary into adjacent heap memory.

Heap buffer overflows of this class allow attackers to corrupt allocator metadata, adjacent objects, function pointers, or virtual table references. Successful exploitation can pivot from memory corruption to arbitrary code execution within the importing process. Because Assimp is widely embedded as a library, the impact propagates to every consuming application without each project independently shipping a fix.

Root Cause

The root cause is an unchecked string copy. The strcpy() invocation in aiMaterial::AddBinaryProperty trusts the length of attacker-controlled input from the FBX stream. Safer bounded variants such as strncpy_s, std::string, or explicit length checks against the destination capacity were not used. The classification maps to [CWE-122] Heap-based Buffer Overflow.

Attack Vector

Exploitation requires the victim application to load a crafted FBX file. Delivery vectors include game asset downloads, model marketplaces, email attachments, web-based 3D viewers, and CI/CD asset processing. No authentication or user interaction beyond opening or importing the file is required. Network-borne delivery is straightforward because FBX files are routinely transferred between artists, build systems, and runtime engines.

No verified public proof-of-concept code is available at this time. Refer to the GitHub Gist Analysis and the Assimp source repository for technical context on the affected code path.

Detection Methods for CVE-2025-70067

Indicators of Compromise

• Crashes or segmentation faults in processes that link Assimp when opening FBX files
• AddressSanitizer or heap allocator error reports referencing aiMaterial::AddBinaryProperty or strcpy
• FBX files containing unusually long material property key strings beyond typical lengths
• Unexpected child processes spawned by 3D viewers, game engines, or asset pipeline workers

Detection Strategies

• Hunt for processes loading assimp shared libraries followed by anomalous memory allocations or crashes
• Inspect FBX files at ingest with parsers that enforce maximum property key lengths before handing data to Assimp
• Enable heap protection telemetry such as Windows page heap or glibc MALLOC_CHECK_ to surface corruption early
• Correlate file write events for .fbx artifacts with subsequent import process anomalies in EDR telemetry

Monitoring Recommendations

• Log Assimp version metadata across build manifests and runtime dependency trees
• Monitor crash dumps from FBX-importing applications and triage stack traces touching AddBinaryProperty
• Alert on FBX files arriving from external sources into developer workstations or build agents
• Track outbound network connections from processes that recently parsed FBX content

How to Mitigate CVE-2025-70067

Immediate Actions Required

• Inventory all software that bundles or dynamically links Assimp and identify versions at or below 6.0.2
• Block ingestion of untrusted FBX files in production asset pipelines until patched builds are deployed
• Sandbox FBX import workloads using OS-level isolation, seccomp, or container restrictions
• Apply pre-import validation that rejects FBX files with property key strings exceeding sane length limits

Patch Information

At the time of publication, monitor the Assimp GitHub repository for an upstream fix that replaces the unbounded strcpy() call in aiMaterial::AddBinaryProperty with a length-checked copy. Rebuild and redistribute all downstream applications once a fixed release is available. Vendors that statically link Assimp must ship updated binaries; dynamic linkers must update the shared library on every host.

Workarounds

• Disable the FBX Importer in Assimp builds where FBX support is not required
• Process FBX files only inside isolated, network-restricted sandboxes with non-persistent storage
• Reject FBX files originating from untrusted sources at the network or email gateway
• Apply compiler hardening flags such as -D_FORTIFY_SOURCE=2, stack canaries, and heap allocator hardening when rebuilding Assimp

# Configuration example: rebuild Assimp with FBX importer disabled
cmake -DASSIMP_BUILD_FBX_IMPORTER=OFF \
      -DASSIMP_BUILD_TESTS=OFF \
      -DCMAKE_CXX_FLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" \
      -B build -S .
cmake --build build --config Release