Описание
MaterialX Null Pointer Dereference in getShaderNodes due to Unchecked nodeGraph->getOutput return
Summary
When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.
Details
In src/MaterialXCore/Material.cpp, in function getShaderNodes, the following code fetches the output nodes for a given nodegraph input node:
The issues arise because the nodeGraph->getOutput(input->getOutputString()) call can return a null pointer, therefore when trying to call output->getConnectedNode(), this results in a crash .
PoC
Please download nullptr_getshadernodes.mltx from the following link:
https://github.com/ShielderSec/poc/tree/main/CVE-2025-53010
build/bin/MaterialXView --material nullptr_getshadernodes.mtlx
Impact
An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file.
Ссылки
- https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-3jhf-gxhr-q4cx
- https://nvd.nist.gov/vuln/detail/CVE-2025-53010
- https://github.com/AcademySoftwareFoundation/MaterialX/commit/e13344ba13326869d7820b444705f24d56fab73d
- https://github.com/ShielderSec/poc/tree/main/CVE-2025-53010
Пакеты
MaterialX
= 1.39.2
1.39.3
Связанные уязвимости
MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, when parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3.