CVE-2025-53009
EPSS 1.8%MaterialX Stack Overflow via Lack of MTLX XML Parsing Recursion Limit
描述
### Summary When parsing an MTLX file with multiple nested `nodegraph` implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion. ### Details By specification, multiple kinds of elements in MTLX support nesting other elements, such as in the case of `nodegraph` elements. Parsing these subtrees is implemented via recursion, and since there is no max depth imposed on the XML document, this can lead to a stack overflow when the library parses an MTLX file with an excessively high number of nested elements. ### PoC Please download the `recursion_overflow.mtlx` file from the following link: https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009 `build/bin/MaterialXView --material recursion_overflow.mtlx` ### Impact An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.
受影響套件(1)
- PyPI/materialx>= 1.39.2, < 1.39.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-53009
- PATCHhttps://github.com/AcademySoftwareFoundation/MaterialX
- WEBhttps://github.com/AcademySoftwareFoundation/MaterialX/issues/2504
- WEBhttps://github.com/AcademySoftwareFoundation/MaterialX/pull/2505
- WEBhttps://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3
- WEBhttps://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-wx6g-fm6f-w822
- WEBhttps://github.com/ShielderSec/poc/tree/main/CVE-2025-53009