SCA: security update for MaterialX (GHSA-qc2h-74x3-4v3w)

medium Tenable Self-Hosted Container Security Plugin ID 428703

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- MaterialX is an open standard for the exchange of rich material and look-development content across
applications and renderers. In version 1.39.2, nested imports of MaterialX files can lead to a crash via
stack memory exhaustion, due to the lack of a limit on the "import chain" depth. When parsing file
imports, recursion is used to process nested files; however, there is no limit imposed to the depth of
files that can be parsed by the library. By building a sufficiently deep chain of MaterialX files one
referencing the next, it is possible to crash the process using the MaterialX library via stack
exhaustion. This is fixed in version 1.39.3. (CVE-2025-53012)

See Also

https://github.com/advisories/GHSA-qc2h-74x3-4v3w

Plugin Details

Severity: Medium

ID: 428703

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 8/1/2025

Updated: 7/6/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2025-53012

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 5.5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/31/2025

Vulnerability Publication Date: 7/31/2025

Reference Information

CVE: CVE-2025-53012

cwe: CWE-400