GHSA-WX6G-FM6F-W822

Vulnerability from github – Published: 2025-07-31 19:37 – Updated: 2025-08-01 18:35
VLAI?
Summary
MaterialX Stack Overflow via Lack of MTLX XML Parsing Recursion Limit
Details

Summary

When parsing an MTLX file with multiple nested nodegraph implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion.

Details

By specification, multiple kinds of elements in MTLX support nesting other elements, such as in the case of nodegraph elements. Parsing these subtrees is implemented via recursion, and since there is no max depth imposed on the XML document, this can lead to a stack overflow when the library parses an MTLX file with an excessively high number of nested elements.

PoC

Please download the recursion_overflow.mtlx file from the following link:

https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009

build/bin/MaterialXView --material recursion_overflow.mtlx

Impact

An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.

Severity ?
5.5 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "MaterialX"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.39.2"
            },
            {
              "fixed": "1.39.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.39.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-121"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-31T19:37:48Z",
    "nvd_published_at": "2025-08-01T18:15:54Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nWhen parsing an MTLX file with multiple nested `nodegraph` implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion.\n\n### Details\n\nBy specification, multiple kinds of elements in MTLX support nesting other elements, such as in the case of `nodegraph` elements. Parsing these subtrees is implemented via recursion, and since there is no max depth imposed on the XML document, this can lead to a stack overflow when the library parses an MTLX file with an excessively high number of nested elements.\n\n### PoC\n\nPlease download the `recursion_overflow.mtlx` file from the following link: \n\nhttps://github.com/ShielderSec/poc/tree/main/CVE-2025-53009\n\n`build/bin/MaterialXView --material recursion_overflow.mtlx`\n\n\n### Impact\nAn attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.",
  "id": "GHSA-wx6g-fm6f-w822",
  "modified": "2025-08-01T18:35:57Z",
  "published": "2025-07-31T19:37:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-wx6g-fm6f-w822"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53009"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX/issues/2504"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX/pull/2505"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MaterialX Stack Overflow via Lack of MTLX XML Parsing Recursion Limit "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.