CVE-2025-5201: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-5201) was discovered in Open Asset Import Library (Assimp) version 5.4.3. The issue affects the LWOImporter::CountVertsAndFacesLWO2 function in the file assimp/code/AssetLib/LWO/LWOLoader.cpp, leading to an out-of-bounds read vulnerability. The vulnerability was discovered and disclosed to the public in May 2025 (NVD).

The vulnerability stems from improper memory handling in the LWOImporter::CountVertsAndFacesLWO2 function. The code assumes that the end pointer is 2-byte-aligned, but when it is not, the memcpy operation reads out of bounds. Additionally, the numIndices variable is used in a loop condition without proper boundary checks, leading to potential buffer overflows. The vulnerability has been assigned a CVSS v3.1 Base Score of 3.3 (LOW) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (Github Issue).

The vulnerability allows for out-of-bounds read operations, which could potentially lead to information disclosure or application crashes. The attack requires local access to be exploited, limiting its potential impact. The vulnerability primarily affects the integrity of memory operations when processing LWO format files (NVD).

Currently, there is no official patch available, as the project has decided to address these issues collectively in the future. The project team is collecting all fuzzer bugs in a main issue for future resolution (Github Issue).