CVE-2025-53009

Description

### Summary When parsing an MTLX file with multiple nested `nodegraph` implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion. ### Details By specification, multiple kinds of elements in MTLX support nesting other elements, such as in the case of `nodegraph` elements. Parsing these subtrees is implemented via recursion, and since there is no max depth imposed on the XML document, this can lead to a stack overflow when the library parses an MTLX file with an excessively high number of nested elements. ### PoC Please download the `recursion_overflow.mtlx` file from the following link: https://github.com/ShielderSec/poc/tree/main/CVE-2025-53009 `build/bin/MaterialXView --material recursion_overflow.mtlx` ### Impact An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.

How to fix CVE-2025-53009

To remediate CVE-2025-53009, upgrade the affected package to a fixed version below.

• —upgrade to 1.39.3 or later

Is CVE-2025-53009 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 1.39.2, < 1.39.3

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-53009
• PATCHgithub.com/AcademySoftwareFoundation/MaterialX
• WEBgithub.com/AcademySoftwareFoundation/MaterialX/commit/91ffea0de7bfe7bcd0c399b07f04fc48227055ff
• WEBgithub.com/AcademySoftwareFoundation/MaterialX/issues/2504