VYPR
← All advisories
Low severityNVD Advisory· Published Aug 1, 2025· Updated Aug 1, 2025

MaterialX is Vulnerable to NULL Pointer Dereference due to Unchecked implGraphOutput

CVE-2025-53011

Description

MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, when parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file. This is fixed in version 1.39.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MaterialX 1.39.2 contains a null pointer dereference in getShaderNodes that can be triggered by a crafted MTLX file, causing a crash.

Vulnerability

Overview

CVE-2025-53011 is a null pointer dereference vulnerability in MaterialX version 1.39.2, an open standard for exchanging rich material and look-development content. The issue occurs in the getShaderNodes function of the MaterialXCore library when parsing a specially crafted MTLX file. Specifically, the code accesses a potentially null pointer without proper validation, leading to a crash [1][3].

Exploitation

An attacker can exploit this vulnerability by sending a malicious MTLX file to a target application that uses MaterialX. No authentication is required, as the crash occurs during file parsing. The attack surface includes any software that processes MTLX files using the affected version of MaterialX [1]. The fix, introduced in commit 7ac1c71, adds an additional null check for the output pointer before traversing its graph [3].

Impact

Successful exploitation results in a denial of service (DoS) by crashing the target application. The vulnerability does not allow arbitrary code execution or data exfiltration. Public proof-of-concept code is available, demonstrating the ease of triggering the crash [4].

Mitigation

The vulnerability is fixed in MaterialX version 1.39.3. Users should upgrade to this version or later. No workarounds are available, as the issue is in the core parsing logic [1].

References
  1. NVD - CVE-2025-53011
  2. Add second null check in getShaderNodes (#2229) · AcademySoftwareFoundation/MaterialX@7ac1c71
  3. poc/CVE-2025-53011 at main · ShielderSec/poc

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
MaterialXPyPI
>= 1.39.2, < 1.39.31.39.3

Affected products

2
  • MaterialX/MaterialXllm-fuzzy
    Range: <=1.39.2
  • AcademySoftwareFoundation/MaterialXv5
    Range: >= 1.39.2, < 1.39.3

Patches

1
7ac1c71de518

Add second null check in getShaderNodes (#2229)

https://github.com/AcademySoftwareFoundation/MaterialXJonathan StoneFeb 14, 2025via ghsa
commit
1 file changed · +16 13
  • source/MaterialXCore/Material.cpp+16 13 modified
    @@ -92,23 +92,26 @@ vector<NodePtr> getShaderNodes(NodePtr materialNode, const string& nodeType, con
                     if (defOutput->getType() == MATERIAL_TYPE_STRING)
                     {
                         OutputPtr implGraphOutput = implGraph->getOutput(defOutput->getName());
-                        for (GraphIterator it = implGraphOutput->traverseGraph().begin(); it != GraphIterator::end(); ++it)
+                        if (implGraphOutput)
                         {
-                            ElementPtr upstreamElem = it.getUpstreamElement();
-                            if (!upstreamElem)
+                            for (GraphIterator it = implGraphOutput->traverseGraph().begin(); it != GraphIterator::end(); ++it)
                             {
-                                it.setPruneSubgraph(true);
-                                continue;
-                            }
-                            NodePtr upstreamNode = upstreamElem->asA<Node>();
-                            if (upstreamNode && upstreamNode->getType() == MATERIAL_TYPE_STRING)
-                            {
-                                for (NodePtr shaderNode : getShaderNodes(upstreamNode, nodeType, target))
+                                ElementPtr upstreamElem = it.getUpstreamElement();
+                                if (!upstreamElem)
+                                {
+                                    it.setPruneSubgraph(true);
+                                    continue;
+                                }
+                                NodePtr upstreamNode = upstreamElem->asA<Node>();
+                                if (upstreamNode && upstreamNode->getType() == MATERIAL_TYPE_STRING)
                                 {
-                                    if (!shaderNodeSet.count(shaderNode))
+                                    for (NodePtr shaderNode : getShaderNodes(upstreamNode, nodeType, target))
                                     {
-                                        shaderNodeVec.push_back(shaderNode);
-                                        shaderNodeSet.insert(shaderNode);
+                                        if (!shaderNodeSet.count(shaderNode))
+                                        {
+                                            shaderNodeVec.push_back(shaderNode);
+                                            shaderNodeSet.insert(shaderNode);
+                                        }
                                     }
                                 }
                             }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.