CVE-2025-2757: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-2757) was discovered in Open Asset Import Library (Assimp) version 5.4.3, specifically affecting the AIMD5PARSESTRINGIN_QUOTATION function in the MD5 File Handler component (code/AssetLib/MD5/MD5Parser.cpp). The vulnerability was disclosed on March 25, 2025 (NVD).

The vulnerability is a heap-based buffer overflow that occurs in the AIMD5PARSESTRINGINQUOTATION function. The issue arises because the function does not validate the boundary of the string buffer, which has a fixed size of 1024 bytes (AIMAXLEN). This allows an attacker to write arbitrary data beyond the buffer's bounds. The vulnerability has received a CVSS v3.1 base score of 6.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (GitHub Issue).

If exploited, this vulnerability could potentially lead to remote code execution if an attacker can trick a victim into processing a malformed MD5 file with the affected Assimp library. The heap buffer overflow allows writing beyond the allocated memory space, which could result in arbitrary code execution (GitHub Issue).

The vulnerability affects Assimp version 5.4.3 and is currently unpatched in the main branch. Users are advised to monitor for updates and exercise caution when processing untrusted MD5 files (Debian Security Tracker).