GHSA-3jhf-gxhr-q4cx

Suggest an improvement
Source
https://github.com/advisories/GHSA-3jhf-gxhr-q4cx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-3jhf-gxhr-q4cx/GHSA-3jhf-gxhr-q4cx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3jhf-gxhr-q4cx
Aliases
Published
2025-07-31T18:31:11Z
Modified
2025-08-01T18:36:02Z
Severity
  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
MaterialX Null Pointer Dereference in getShaderNodes due to Unchecked nodeGraph->getOutput return
Details

Summary

When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.

Details

In src/MaterialXCore/Material.cpp, in function getShaderNodes, the following code fetches the output nodes for a given nodegraph input node:

// SNIP...
        else if (input->hasNodeGraphString())
        {
            // Check upstream nodegraph connected to the input.
            // If no explicit output name given then scan all outputs on the nodegraph.
            ElementPtr parent = materialNode->getParent();
            NodeGraphPtr nodeGraph = parent->getChildOfType<NodeGraph>(input->getNodeGraphString());
            if (!nodeGraph)
            {
                continue;
            }
            vector<OutputPtr> outputs;
            if (input->hasOutputString())
            {
                outputs.push_back(nodeGraph->getOutput(input->getOutputString())); // <--- null ptr is returned
            }
            else
            {
                outputs = nodeGraph->getOutputs();
            }
            for (OutputPtr output : outputs)
            {
                NodePtr upstreamNode = output->getConnectedNode(); // <--- CRASHES HERE
                if (upstreamNode && !shaderNodeSet.count(upstreamNode))
                {
                    if (!target.empty() && !upstreamNode->getNodeDef(target))
                    {
                        continue;
                    }
                    shaderNodeVec.push_back(upstreamNode);
                    shaderNodeSet.insert(upstreamNode);
                }
            }
        }
    }
// SNIP...

The issues arise because the nodeGraph->getOutput(input->getOutputString()) call can return a null pointer, therefore when trying to call output->getConnectedNode(), this results in a crash .

PoC

Please download nullptr_getshadernodes.mltx from the following link:

https://github.com/ShielderSec/poc/tree/main/CVE-2025-53010

build/bin/MaterialXView --material nullptr_getshadernodes.mtlx

Impact

An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file.

Database specific 
{
    "nvd_published_at": "2025-08-01T18:15:54Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-31T18:31:11Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-476"
    ]
}
References

Affected packages

PyPI / materialx

Package

Name
materialx
View open source insights on deps.dev
Purl
pkg:pypi/materialx

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.39.2
Fixed
1.39.3

Affected versions

1.*

1.39.2