{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53009", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-06-24T03:50:36.795Z", "datePublished": "2025-08-01T17:57:56.221Z", "dateUpdated": "2025-08-01T18:22:16.665Z"}, "containers": {"cna": {"title": "MaterialX Stack Overflow via Lack of MTLX XML Parsing Recursion Limit", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-wx6g-fm6f-w822", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-wx6g-fm6f-w822"}, {"name": "https://github.com/AcademySoftwareFoundation/MaterialX/issues/2504", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/MaterialX/issues/2504"}, {"name": "https://github.com/AcademySoftwareFoundation/MaterialX/pull/2505", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/MaterialX/pull/2505"}, {"name": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3"}, {"name": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009", "tags": ["x_refsource_MISC"], "url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009"}], "affected": [{"vendor": "AcademySoftwareFoundation", "product": "MaterialX", "versions": [{"version": ">= 1.39.2, < 1.39.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-01T17:57:56.221Z"}, "descriptions": [{"lang": "en", "value": "MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In versions 1.39.2 and below, when parsing an MTLX file with multiple nested nodegraph implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3."}], "source": {"advisory": "GHSA-wx6g-fm6f-w822", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-01T18:22:02.537859Z", "id": "CVE-2025-53009", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T18:22:16.665Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53009", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-01T18:22:02.537859Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T18:22:04.969Z"}}], "cna": {"title": "MaterialX Stack Overflow via Lack of MTLX XML Parsing Recursion Limit", "source": {"advisory": "GHSA-wx6g-fm6f-w822", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "AcademySoftwareFoundation", "product": "MaterialX", "versions": [{"status": "affected", "version": ">= 1.39.2, < 1.39.3"}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-wx6g-fm6f-w822", "name": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-wx6g-fm6f-w822", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/AcademySoftwareFoundation/MaterialX/issues/2504", "name": "https://github.com/AcademySoftwareFoundation/MaterialX/issues/2504", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/AcademySoftwareFoundation/MaterialX/pull/2505", "name": "https://github.com/AcademySoftwareFoundation/MaterialX/pull/2505", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3", "name": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009", "name": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In versions 1.39.2 and below, when parsing an MTLX file with multiple nested nodegraph implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-01T17:57:56.221Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53009", "state": "PUBLISHED", "dateUpdated": "2025-08-01T18:22:16.665Z", "dateReserved": "2025-06-24T03:50:36.795Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-01T17:57:56.221Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In versions 1.39.2 and below, when parsing an MTLX file with multiple nested nodegraph implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3."}, {"lang": "es", "value": "MaterialX es un est\u00e1ndar abierto para el intercambio de material enriquecido y contenido de desarrollo de apariencia entre aplicaciones y renderizadores. En las versiones 1.39.2 y anteriores, al analizar un archivo MTLX con m\u00faltiples implementaciones de nodegraph anidadas, la l\u00f3gica de an\u00e1lisis XML de MaterialX puede bloquearse debido al agotamiento de la pila. Un atacante podr\u00eda bloquear intencionalmente un programa objetivo que use OpenEXR enviando un archivo MTLX malicioso. Esto se solucion\u00f3 en la versi\u00f3n 1.39.3."}], "id": "CVE-2025-53009", "lastModified": "2025-08-04T15:06:15.833", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-08-01T18:15:54.463", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/AcademySoftwareFoundation/MaterialX/issues/2504"}, {"source": "security-advisories@github.com", "url": "https://github.com/AcademySoftwareFoundation/MaterialX/pull/2505"}, {"source": "security-advisories@github.com", "url": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-wx6g-fm6f-w822"}, {"source": "security-advisories@github.com", "url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}