CVE-2025-5202: 
Linux Debian vulnerability analysis and mitigation

A vulnerability has been identified in Open Asset Import Library (Assimp) version 5.4.3, tracked as CVE-2025-5202. The issue affects the HL1MDLLoader::validate_header function in the file assimp/code/AssetLib/MDL/HalfLife/HL1MDLLoader.cpp, which can lead to an out-of-bounds read vulnerability. The vulnerability was discovered and disclosed to the public in May 2025 (NVD, CVE).

The vulnerability stems from improper validation of file size before accessing the buffer/header in the HL1MDLLoader::validateheader function. Specifically, when checking the header->numbodyparts value against AIMDLHL1MAX_BODYPARTS, the code performs an out-of-bounds read operation. The vulnerability has been assigned a CVSS v4.0 score of 4.8 (MEDIUM) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (Github Issue).

The vulnerability allows for an out-of-bounds read operation, which could potentially lead to information disclosure or program crashes. The attack requires local access to be executed, and while the vulnerability has been publicly disclosed, its impact is primarily limited to availability issues (NVD).

The project has acknowledged the issue and has decided to collect all Fuzzer bugs in a main issue to address them in the future. Currently, there is no official patch available, but the issue is being tracked as part of a larger initiative to address Fuzzer-discovered vulnerabilities (Github Epic).