logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-53010 materialx

Package

Manager: pip
Name: materialx
Vulnerable Version: =1.39.2 || >=1.39.2 <1.39.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

EPSS: 0.0004 pctl0.11124

Details

MaterialX Null Pointer Dereference in getShaderNodes due to Unchecked nodeGraph->getOutput return ### Summary When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. ### Details In `src/MaterialXCore/Material.cpp`, in function `getShaderNodes`, the following code fetches the output nodes for a given `nodegraph` input node: ```cpp // SNIP... else if (input->hasNodeGraphString()) { // Check upstream nodegraph connected to the input. // If no explicit output name given then scan all outputs on the nodegraph. ElementPtr parent = materialNode->getParent(); NodeGraphPtr nodeGraph = parent->getChildOfType<NodeGraph>(input->getNodeGraphString()); if (!nodeGraph) { continue; } vector<OutputPtr> outputs; if (input->hasOutputString()) { outputs.push_back(nodeGraph->getOutput(input->getOutputString())); // <--- null ptr is returned } else { outputs = nodeGraph->getOutputs(); } for (OutputPtr output : outputs) { NodePtr upstreamNode = output->getConnectedNode(); // <--- CRASHES HERE if (upstreamNode && !shaderNodeSet.count(upstreamNode)) { if (!target.empty() && !upstreamNode->getNodeDef(target)) { continue; } shaderNodeVec.push_back(upstreamNode); shaderNodeSet.insert(upstreamNode); } } } } // SNIP... ``` The issues arise because the `nodeGraph->getOutput(input->getOutputString())` call can return a null pointer, therefore when trying to call `output->getConnectedNode()`, this results in a crash . ### PoC Please download `nullptr_getshadernodes.mltx` from the following link: https://github.com/ShielderSec/poc/tree/main/CVE-2025-53010 `build/bin/MaterialXView --material nullptr_getshadernodes.mtlx` ### Impact An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file.

Metadata

Created: 2025-07-31T18:31:11Z
Modified: 2025-08-01T18:36:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-3jhf-gxhr-q4cx/GHSA-3jhf-gxhr-q4cx.json
CWE IDs: ["CWE-476"]
Alternative ID: GHSA-3jhf-gxhr-q4cx
Finding: F002
Auto approve: 1