CVE-2025-53010: 
Python vulnerability analysis and mitigation

MaterialX version 1.39.2 contains a null pointer dereference vulnerability (CVE-2025-53010) that affects the MaterialXCore component. The vulnerability was discovered and disclosed on July 31, 2025, affecting the shader node parsing functionality in MTLX files. MaterialX is an open standard for exchanging material and look-development content across applications and renderers (GitHub Advisory).

The vulnerability occurs in the getShaderNodes function within src/MaterialXCore/Material.cpp when parsing shader nodes in MTLX files. Specifically, when nodeGraph->getOutput(input->getOutputString()) returns a null pointer, the subsequent attempt to call output->getConnectedNode() results in a crash. The vulnerability has been assigned a CVSS v4.0 score of LOW with vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P and is classified as CWE-476 (NULL Pointer Dereference) (GitHub Advisory, NVD).

An attacker could exploit this vulnerability by crafting a malicious MTLX file that triggers the null pointer dereference, resulting in a crash of the target program that uses MaterialX (GitHub Advisory).

The vulnerability has been fixed in MaterialX version 1.39.3. The fix involves adding a null check before accessing the output pointer in the getShaderNodes function (GitHub Commit).