CVE-2025-53009: MaterialX Stack Overflow via Lack of MTLX XML Parsing Recursion Limit

The vulnerability is a stack overflow due to unbounded recursion when parsing MaterialX (MTLX) XML files. The analysis of the commits between the vulnerable version (1.39.2) and the patched version (1.39.3) points to two functions that were fixed to prevent this.

The primary vulnerable function was MaterialX::elementFromXml located in source/MaterialXFormat/XmlIo.cpp. This function was responsible for parsing the XML structure. The initial fix, seen in commit 51be1ba31a79a292a9c2be9470a8b0f90c26372d, introduced a depth check to the recursion. However, a more comprehensive fix was implemented in commit db91313e16cc3266789c6cc04d6f499cffa1cf40, which refactored the entire parsing process to be iterative using an explicit stack, thus completely eliminating the risk of stack overflow from deep element trees.

A second, related vulnerability was found in the MaterialX::processXIncludes function in the same file. This function could also be made to recurse deeply by processing a chain of xi:include directives. Commit defc03b7aca865d7e71a9197da9351d3f5ea8786 added a depth check (MAX_XINCLUDE_DEPTH) to mitigate this vector.

An attacker could exploit this by crafting a malicious MTLX file with either deeply nested XML elements or a long chain of XIncludes, causing the application to crash due to stack exhaustion. Therefore, during exploitation, a runtime profiler would have shown a deep stack trace with repeating calls to MaterialX::elementFromXml or MaterialX::processXIncludes.