GHSA-grjp-54v3-c442

Source

https://github.com/advisories/GHSA-grjp-54v3-c442

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-grjp-54v3-c442/GHSA-grjp-54v3-c442.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-grjp-54v3-c442

Published

2025-10-29T22:13:03Z

Modified

2025-10-29T22:31:30.040308Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

OpenUSD File Parsing Use-After-Free Remote Code Execution Vulnerability

Details

Patch

This is fixed with commit b953092, with the fix available in OpenUSD 25.11 and onwards.

Summary

We have been advised by Zero Day Initiative that our usage of the USD framework may constitute a Use-After-Free Remote Code Execution Vulnerability. They have sent us the attached file illustrating the issue. Indeed, we see a use after free exception when running the file through our importer with an address sanitizer.

zdi-23709-poc0.zip

Thanks in advance.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-29T22:13:03Z",
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-416"
    ]
}

References

Affected packages

PyPI / usd-core

Package

Name: usd-core; View open source insights on deps.dev
Purl: pkg:pypi/usd-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

25.11

Affected versions

20.*

20.11

21.*

21.2

21.5

21.8

21.11

22.*

22.3

22.5

22.5.post1

22.8

22.11

23.*

23.2

23.5

23.8

23.11

24.*

24.3

24.5

24.8

24.11

25.*

25.2

25.2.post1

25.5

25.5.1

25.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-grjp-54v3-c442/GHSA-grjp-54v3-c442.json"

last_known_affected_version_range

"<= 25.08"