CVE-2025-53012
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-53012
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53012.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-53012
- Aliases
- Published
- 2025-08-01T18:15:54Z
- Modified
- 2025-08-02T12:00:47.907200Z
- Summary
- [none]
- Details
-
MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, nested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the "import chain" depth. When parsing file imports, recursion is used to process nested files; however, there is no limit imposed to the depth of files that can be parsed by the library. By building a sufficiently deep chain of MaterialX files one referencing the next, it is possible to crash the process using the MaterialX library via stack exhaustion. This is fixed in version 1.39.3.
- References
-
- https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-qc2h-74x3-4v3w
- https://github.com/AcademySoftwareFoundation/MaterialX/blob/main/documents/Specification/MaterialX.Specification.md#mtlx-file-format-definition
- https://github.com/AcademySoftwareFoundation/MaterialX/pull/2233/commits/6182c07467297416a30d148ab531d81198686dc5
- https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3
Affected packages
Git / github.com/academysoftwarefoundation/materialx
Affected ranges
- Type
- GIT
- Repo
- https://github.com/academysoftwarefoundation/materialx
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.35.2
v1.35.3
v1.35.4
v1.35.5
v1.36.0
v1.36.1
v1.36.2
v1.36.3
v1.36.4
v1.36.5
v1.37.0
v1.37.1
v1.37.2
v1.37.3
v1.37.4
v1.38.0
v1.38.1
v1.38.10
v1.38.2
v1.38.3
v1.38.4
v1.38.5
v1.38.6
v1.38.7
v1.38.8
v1.38.9
v1.39.0
v1.39.1
v1.39.1-rc1
v1.39.1-rc2
v1.39.2
v1.39.2-rc1
v1.39.3-rc1