CVE-2025-70072 Overview
CVE-2025-70072 is an out-of-bounds read vulnerability [CWE-125] in the Open Asset Import Library (Assimp) version 6.0.2. The flaw resides in the FBXConverter::ConvertMeshMultiMaterial() function within FBXConverter.cpp. A remote attacker can trigger a denial of service by supplying a crafted FBX file to an application that uses Assimp for 3D model parsing.
Exploitation requires user interaction, typically in the form of opening or importing a malicious file. The vulnerability does not expose data or permit code execution, but it terminates the parsing process and any host application relying on the library.
Critical Impact
A crafted FBX file processed by Assimp 6.0.2 causes an out-of-bounds read in ConvertMeshMultiMaterial(), crashing the host application and resulting in denial of service.
Affected Products
- Open Asset Import Library (Assimp) version 6.0.2
- Applications and game engines that embed Assimp 6.0.2 for FBX file import
- 3D content pipelines and viewers that load untrusted FBX assets through Assimp
Discovery Timeline
- 2026-05-04 - CVE-2025-70072 published to the National Vulnerability Database
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2025-70072
Vulnerability Analysis
The vulnerability is an out-of-bounds read in Assimp's FBX converter. When FBXConverter::ConvertMeshMultiMaterial() processes a malformed FBX mesh, it reads memory beyond the bounds of an internal buffer or container. The condition is reachable through standard import APIs that Assimp exposes to host applications.
Assimp is widely embedded across game engines, modeling tools, and asset pipelines. A successful read past valid memory triggers a process crash on most platforms. The integrity and confidentiality of data are not affected, but availability of the consuming application is lost until the process restarts.
The attack requires the victim to import or open a hostile FBX file. Because FBX files are routinely shared between artists, marketplaces, and downloadable mods, the user-interaction requirement is realistic in production workflows. Public technical references include the Assimp project site and a GitHub Gist with a proof-of-concept snippet.
Root Cause
The root cause is missing bounds validation inside ConvertMeshMultiMaterial() when dereferencing material or face indices read from an untrusted FBX stream. Crafted index values steer the function to read memory outside the intended container, satisfying the [CWE-125] pattern.
Attack Vector
The vector is network-reachable because the malicious FBX file can be delivered through any channel the application accepts: web download, asset marketplace, email attachment, or shared project archive. The attacker must convince a user to load the file. No authentication or elevated privilege is required on the target system.
A proof-of-concept FBX trigger is referenced in the public gist linked from the NVD entry. See the GitHub Gist code snippet for technical reproduction details.
Detection Methods for CVE-2025-70072
Indicators of Compromise
- Repeated crashes of applications that embed Assimp shortly after loading FBX files
- Crash dumps referencing FBXConverter.cpp or ConvertMeshMultiMaterial in the call stack
- FBX files received from untrusted sources that fail to load and terminate the host process
- Operating system fault logs showing access violations in Assimp-linked binaries
Detection Strategies
- Inventory applications and build dependencies for assimp 6.0.2 using software composition analysis tools
- Hunt for process termination events correlated with FBX file open operations on developer and artist workstations
- Inspect Windows Error Reporting and Linux core dumps for faults inside Assimp shared libraries
- Flag inbound FBX files from external email senders or unauthenticated upload endpoints for sandbox analysis
Monitoring Recommendations
- Monitor crash telemetry from endpoints that handle 3D assets, focusing on Assimp-linked modules
- Alert on unexpected child process termination of editors, game engines, and converter utilities
- Track creation of FBX files in shared directories and correlate with subsequent application faults
- Capture full file paths and hashes of FBX inputs in EDR telemetry to support post-incident triage
How to Mitigate CVE-2025-70072
Immediate Actions Required
- Identify all instances of Assimp 6.0.2 across developer workstations, build servers, and shipped applications
- Restrict import of FBX files to those originating from trusted internal sources until a fix is available
- Run FBX import workloads inside sandboxes or containers that can be restarted automatically on crash
- Educate artists and developers to validate FBX file origin before opening third-party assets
Patch Information
No fixed Assimp version is listed in the NVD entry at publication. Monitor the Assimp project site and the upstream GitHub repository for a release that addresses FBXConverter::ConvertMeshMultiMaterial(). Once a patched release is available, rebuild dependent applications against the new version and redistribute updated binaries.
Workarounds
- Disable FBX importing in applications where the format is not strictly required
- Pre-validate FBX files with a separate hardened parser before passing them to Assimp
- Run import operations in an isolated process so a crash does not affect the main application
- Apply file-type allowlisting at email gateways and content management systems to reduce exposure to untrusted FBX assets
# Configuration example: locate vulnerable Assimp builds on Linux hosts
find / -type f \( -name 'libassimp*.so*' -o -name 'assimp' \) 2>/dev/null \
| xargs -I{} sh -c 'echo "== {} =="; strings "{}" | grep -E "^Assimp [0-9]" | head -1'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
