CVE-2025-5200: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-5200) was identified in Open Asset Import Library Assimp version 5.4.3, discovered and disclosed on May 26, 2025. The issue affects the MDLImporter::InternReadFile_Quake1 function in the file assimp/code/AssetLib/MDL/MDLLoader.cpp, classified as an out-of-bounds read vulnerability that can be triggered locally (Wiz Report, NVD).

The vulnerability manifests as a heap buffer overflow in two locations within the MDLImporter::InternReadFile_Quake1 function. The first instance occurs at line 452 where pcFrames->type is accessed out of bounds, and the second instance is at lines 457-459 where szCurrent is accessed beyond its allocated memory. The vulnerability has been assigned a CVSS 3.1 Base Score of 3.3 (LOW) with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, and a CVSS 4.0 score of 4.8 (MEDIUM) (GitHub Issue).

The vulnerability affects the availability of the system through out-of-bounds read operations. When exploited, it can lead to memory access violations and potential program crashes. The impact is limited to local attacks and does not affect confidentiality or integrity of the system (Wiz Report).

Currently, there are no official fixes or mitigations available for this vulnerability. The project team has acknowledged the issue and plans to address it along with other Fuzzer-discovered bugs in the future (GitHub Issue).