CVE-2025-21131: 
Adobe Substance 3D Stager vulnerability analysis and mitigation

Adobe Substance3D - Stager versions 3.0.4 and earlier are affected by an out-of-bounds write vulnerability (CVE-2025-21131) that was disclosed on January 14, 2025. The vulnerability affects both Windows and macOS platforms. This security issue could result in arbitrary code execution in the context of the current user, requiring user interaction through opening a malicious file (Adobe Advisory, NVD).

The vulnerability is classified as an out-of-bounds write (CWE-787) with a CVSS v3.1 base score of 7.8 (HIGH). The CVSS vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability (Adobe Advisory).

Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the current user. The vulnerability has high severity ratings for confidentiality, integrity, and availability impacts (Adobe Advisory).

Adobe has released version 3.1.0 of Substance 3D Stager to address this vulnerability. Users are recommended to update their installation to the newest version via the Creative Cloud desktop app's update mechanism. For managed environments, IT administrators can use the Admin Console to deploy the update to end users (Adobe Advisory).

The vulnerability was discovered and reported by security researcher jony_juice through Adobe's public bug bounty program with HackerOne (Adobe Advisory).