CVE-2025-2591: 
Linux Debian vulnerability analysis and mitigation

A vulnerability (CVE-2025-2591) was discovered in Open Asset Import Library (Assimp) version 5.4.3, specifically affecting the MDLImporter::InternReadFile_Quake1 function in the file code/AssetLib/MDL/MDLLoader.cpp. The vulnerability was disclosed on February 25, 2025, and a patch was released on March 12, 2025 (GitHub Issue).

The vulnerability is caused by an improper check of skinwidth and skinheight parameters in the MDL file processing logic. The code checks whether pcHeader->skinwidth is zero or pcHeader->skinheight is zero using an OR condition, which allows the code to proceed if one of them is not zero, potentially leading to a division by zero operation. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L (NVD).

An attacker could potentially exploit this vulnerability to cause a denial of service condition by triggering a Floating Point Exception (FPE) when the application processes a specially crafted MDL file (GitHub Issue).

The vulnerability has been fixed in commit ab66a1674fcfac87aaba4c8b900b315ebc3e7dbd, which modifies the condition to check if both skinwidth and skinheight are non-zero before performing the division operation. Users are recommended to update to the patched version (GitHub PR).