CVE-2025-53009

MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In versions 1.39.2 and below, when parsing an MTLX file with multiple nested nodegraph implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/AcademySoftwareFoundation/MaterialX/issues/2504	Issue Tracking
https://github.com/AcademySoftwareFoundation/MaterialX/pull/2505	Issue Tracking Patch
https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3	Release Notes
https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-wx6g-fm6f-w822	Exploit Vendor Advisory
https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxfoundation:materialx:1.39.2:-:*:*:*:*:*:*

History

20 Aug 2025, 21:24

Type	Values Removed	Values Added
CPE		cpe:2.3:a:linuxfoundation:materialx:1.39.2:-::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/AcademySoftwareFoundation/MaterialX/issues/2504 -~~	() https://github.com/AcademySoftwareFoundation/MaterialX/issues/2504 - Issue Tracking
References	~~() https://github.com/AcademySoftwareFoundation/MaterialX/pull/2505 -~~	() https://github.com/AcademySoftwareFoundation/MaterialX/pull/2505 - Issue Tracking, Patch
References	~~() https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3 -~~	() https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3 - Release Notes
References	~~() https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-wx6g-fm6f-w822 -~~	() https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-wx6g-fm6f-w822 - Exploit, Vendor Advisory
References	~~() https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009 -~~	() https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009 - Exploit
First Time		Linuxfoundation Linuxfoundation materialx

04 Aug 2025, 15:06

Type	Values Removed	Values Added
Summary		(es) MaterialX es un estándar abierto para el intercambio de material enriquecido y contenido de desarrollo de apariencia entre aplicaciones y renderizadores. En las versiones 1.39.2 y anteriores, al analizar un archivo MTLX con múltiples implementaciones de nodegraph anidadas, la lógica de análisis XML de MaterialX puede bloquearse debido al agotamiento de la pila. Un atacante podría bloquear intencionalmente un programa objetivo que use OpenEXR enviando un archivo MTLX malicioso. Esto se solucionó en la versión 1.39.3.

01 Aug 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-01 18:15

Updated : 2025-08-20 21:24

NVD link : CVE-2025-53009

Mitre link : CVE-2025-53009

CVE.ORG link : CVE-2025-53009

JSON object : View

Products Affected

linuxfoundation

materialx

CWE

CWE-121

Stack-based Buffer Overflow

7.5 /10