CVE-2025-3160: 
NixOS vulnerability analysis and mitigation

A vulnerability has been discovered in Open Asset Import Library (Assimp) version 5.4.3, identified as CVE-2025-3160. The vulnerability affects the Assimp::SceneCombiner::AddNodeHashes function in the code/Common/SceneCombiner.cpp file. The issue was disclosed on April 3, 2025 and involves an out-of-bounds read condition (NVD, Debian Tracker).

The vulnerability is caused by a lack of null pointer validation in the Assimp::SceneCombiner::AddNodeHashes function. When the function attempts to access node->mName.length without first checking if node is null, it can trigger a null pointer dereference and crash. The issue has been assigned CWE-125 (Out-of-bounds Read) and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The CVSS v4.0 score is 4.8 (Medium) with vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Issue).

While this vulnerability cannot be used for remote code execution on its own, it can be exploited as a read primitive if an attacker can trick a victim into processing a malformed file with Assimp. The vulnerability leads to an out-of-bounds read condition that causes program crashes (GitHub Issue).

A patch has been released and is identified by commit a0993658f40d8e13ff5823990c30b43c82a5daf0. The fix adds proper null pointer validation before accessing the node pointer. It is recommended to update to the patched version (GitHub Commit).