MaterialX Stack Overflow via Lack of MTLX XML Parsing Recursion Limit
Description
MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In versions 1.39.2 and below, when parsing an MTLX file with multiple nested nodegraph implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MaterialX 1.39.2 and below crash on parsing MTLX files with deeply nested nodegraphs, enabling denial-of-service via a malicious file.
Vulnerability
Overview
CVE-2025-53009 is a stack exhaustion flaw in the MaterialX XML parsing logic. In versions 1.39.2 and earlier, when parsing an MTLX file that contains multiple nested nodegraph implementations, the recursive parser can consume all available stack space, resulting in a crash [1][2]. The root cause is the lack of depth limits on nested `` elements during XML parsing.
Exploitation
An attacker can exploit this vulnerability by crafting a specially malformed MTLX file with deeply nested `` structures and convincing a target user or automated pipeline to open it. No authentication or special network position is required beyond the ability to supply the file to a MaterialX parser (e.g., the MaterialX Viewer or any application using the MaterialX library). The official CVE description states that the attack vector is local and does not require network access [3].
Impact
Successful exploitation leads to a denial-of-service (DoS) condition: the target application or service crashes abruptly. No data confidentiality or integrity is compromised, but availability is affected. The vulnerability is rated with a CVSS score indicating medium severity [3].
Mitigation
The issue is fixed in MaterialX version 1.39.3, released on or about August 21, 2025 [1]. Users should update to version 1.39.3 or later. No workarounds have been published; however, avoiding the parsing of untrusted MTLX files can reduce risk. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
MaterialXPyPI | >= 1.39.2, < 1.39.3 | 1.39.3 |
Affected products
2- AcademySoftwareFoundation/MaterialXv5Range: >= 1.39.2, < 1.39.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-wx6g-fm6f-w822ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53009ghsaADVISORY
- github.com/AcademySoftwareFoundation/MaterialX/issues/2504ghsax_refsource_MISCWEB
- github.com/AcademySoftwareFoundation/MaterialX/pull/2505ghsax_refsource_MISCWEB
- github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3ghsax_refsource_MISCWEB
- github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-wx6g-fm6f-w822ghsax_refsource_CONFIRMWEB
- github.com/ShielderSec/poc/tree/main/CVE-2025-53009ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.