CVE-2025-6119 is a use-after-free vulnerability identified in the Open Asset Import Library (Assimp) versions 5.4.0 through 5.4.3. The flaw exists specifically in the function Assimp::BVHLoader::ReadNodeChannels within the source file assimp/code/AssetLib/BVH/BVHLoader.cpp. The vulnerability arises due to improper handling of the argument pNode, which leads to a use-after-free condition. This means that the program may attempt to access memory that has already been freed, potentially causing undefined behavior such as crashes, memory corruption, or execution of arbitrary code. The vulnerability requires local access to the system (local attack vector) and low privileges (PR:L), with no user interaction needed (UI:N). The attack complexity is low (AC:L), and no authentication is required (AT:N). The CVSS 4.0 base score is 4.8, indicating a medium severity level. The scope is limited to the vulnerable component (VC:L), with limited impact on confidentiality, integrity, and availability (each rated low). The vulnerability was publicly disclosed on June 16, 2025, and while no known exploits are currently reported in the wild, the exploit code has been made public. The Assimp project has acknowledged multiple fuzzer-discovered bugs and plans to address them collectively in future releases. Assimp is widely used for importing and processing 3D asset files in various applications including game engines, CAD software, and visualization tools. The vulnerability could be triggered by processing specially crafted BVH (Biovision Hierarchy) files, which are used for motion capture data. Since exploitation requires local access, attackers would need to have some foothold on the target system to leverage this vulnerability, potentially escalating privileges or causing denial of service through crashes or memory corruption.

For European organizations, the impact of CVE-2025-6119 depends largely on the extent to which Assimp is integrated into their software ecosystems. Organizations involved in industries such as gaming, animation, virtual reality, CAD, and simulation that utilize Assimp for 3D asset importation are at risk. Exploitation could lead to application crashes, denial of service, or potentially arbitrary code execution if combined with other vulnerabilities, thereby impacting system stability and data integrity. Since the vulnerability requires local access and low privileges, it could be leveraged in multi-user environments or by malicious insiders to escalate privileges or disrupt operations. The limited confidentiality impact reduces the risk of data leakage, but integrity and availability impacts, though low, could affect critical workflows involving 3D assets. European companies relying on Assimp in their development pipelines or production environments might face operational disruptions and increased risk of targeted attacks if attackers gain local access. The public disclosure and availability of exploit code increase the urgency for mitigation, as attackers could incorporate this vulnerability into broader attack chains.

Upgrade Assimp to a version beyond 5.4.3 once the vendor releases a patch addressing this vulnerability. Monitor the official Assimp repository and security advisories for updates. Implement strict access controls and monitoring on systems where Assimp is installed to prevent unauthorized local access, as exploitation requires local presence. Employ application whitelisting and sandboxing techniques for software components that use Assimp to limit the impact of potential exploitation. Conduct regular code audits and fuzz testing on custom integrations of Assimp to identify and remediate similar memory management issues proactively. Restrict the processing of untrusted or unauthenticated BVH files, especially from external or user-generated sources, to reduce the attack surface. Enhance endpoint detection and response (EDR) capabilities to detect anomalous behaviors indicative of exploitation attempts, such as unexpected crashes or memory access violations. Educate developers and system administrators about the risks associated with use-after-free vulnerabilities and the importance of timely patching and secure coding practices.