CVE-2025-53012: 
Python vulnerability analysis and mitigation

MaterialX, an open standard for exchanging material and look-development content across applications and renderers, was found to contain a vulnerability in version 1.39.2 that could lead to a crash via stack memory exhaustion. The vulnerability (CVE-2025-53012) was discovered due to the lack of a limit on the 'import chain' depth when processing nested file imports. The issue was disclosed on July 31, 2025, and was subsequently patched in version 1.39.3 (GitHub Advisory).

The vulnerability stems from the MaterialX specification's support for importing other files using XInclude tags. When parsing file imports, the library uses recursion to process nested files in a tree structure, with the root node being the first MaterialX file parsed. The critical security flaw was the absence of a depth limit for parsing files, which could lead to stack exhaustion. The vulnerability has been assigned CWE-400 (Uncontrolled Resource Consumption) and received a CVSS v4.0 score of 5.5 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P (NVD).

The vulnerability allows attackers to intentionally stall and crash applications that read MaterialX files under their control. The impact is particularly significant on Windows systems, where the attack complexity is lower due to the ability to reference remote paths via UNC notation. However, the vulnerability can be exploited on other systems if an attacker can write an arbitrary amount of MaterialX files implementing the chain in the local file system (GitHub Advisory).

The vulnerability has been fixed in MaterialX version 1.39.3 through the implementation of a MAX_XINCLUDE_DEPTH constant set to 256 and the addition of validation checks for XInclude depth in XML parsing. Users are advised to upgrade to version 1.39.3 or later to address this security issue (GitHub Release).