When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.
In source/MaterialXCore/Material.cpp, the following code extracts the output nodes for a given implementation graph:
InterfaceElementPtr impl = materialNodeDef->getImplementation();
if (impl && impl->isA<NodeGraph>())
{
NodeGraphPtr implGraph = impl->asA<NodeGraph>();
for (OutputPtr defOutput : materialNodeDef->getOutputs())
{
if (defOutput->getType() == MATERIAL_TYPE_STRING)
{
OutputPtr implGraphOutput = implGraph->getOutput(defOutput->getName());
for (GraphIterator it = implGraphOutput->traverseGraph().begin(); it != GraphIterator::end(); ++it)
{
ElementPtr upstreamElem = it.getUpstreamElement();
if (!upstreamElem)
{
it.setPruneSubgraph(true);
continue;
}
NodePtr upstreamNode = upstreamElem->asA<Node>();
if (upstreamNode && upstream
However, when defining the implGraphOutput variable by getting the output node, the code doesn't check whether its value is null before accessing its iterator traverseGraph(). This leads to a potential null pointer dereference.
Please download nullptr_implgraph.mtlx from the following link:
https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011
build/bin/MaterialXView --material nullptr_implgraph.mtlx
An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.
| Score | Percentile |
|---|---|
| 0.11% | 29.58% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 2.0 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-7qw8-3vmf-gj32 ↗ |
| CVE | CVE-2025-53011 ↗ |
| CWE id | Name |
|---|---|
| CWE-476 | NULL Pointer Dereference |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | MaterialX | = 1.39.2 | 1.39.3 | — |