CVE-2025-5204: 
Linux Debian vulnerability analysis and mitigation

A vulnerability has been identified in Open Asset Import Library (Assimp) version 5.4.3, specifically affecting the MDLImporter::ParseSkinLump3DGSMDL7 function in the file assimp/code/AssetLib/MDL/MDLMaterialLoader.cpp. The vulnerability was disclosed on May 26, 2025, and is tracked as CVE-2025-5204. This security flaw is characterized as an out-of-bounds read vulnerability that requires local access to exploit (VulDB, NVD).

The vulnerability manifests as a heap buffer overflow condition in the MDLImporter::ParseSkinLump3DGSMDL7 and SkipSkinLump functions. The issue occurs when processing external file references or strings without null termination, leading to buffer overreads until the next null byte is encountered. The vulnerability has received a CVSS v3.1 Base Score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, and a CVSS v4.0 score of 4.8 (MEDIUM) (VulDB, GitHub Issue).

The vulnerability primarily affects system availability through out-of-bounds read operations. When exploited, it can lead to heap buffer overflow conditions, potentially causing application crashes or unstable behavior. The impact is considered relatively low due to the local access requirement and limited scope of the vulnerability (VulDB).

The project has acknowledged the vulnerability and has decided to collect all Fuzzer bugs in a main issue to address them in the future. Currently, there are no official patches or workarounds available. Users are advised to monitor the project's GitHub repository for updates (GitHub Issue).