CVE-2025-57108 – CVE-2025-57108 is a critical heap use-after-fre... (How to Fix)

Q: What is the severity of CVE-2025-57108?

CVE-2025-57108 has a CVSS score of 9.8 (CRITICAL). CVE-2025-57108 is a critical heap use-after-free vulnerability in Kitware VTK's GLTF file parser that allows remote code execution or application crashes. Attackers can exploit this by providing specially crafted GLTF files to applications using VTK for 3D visualization. All systems running VTK versions up to 9.5.0 that process GLTF files are affected.

📋 TL;DR

CVE-2025-57108 is a critical heap use-after-free vulnerability in Kitware VTK's GLTF file parser that allows remote code execution or application crashes. Attackers can exploit this by providing specially crafted GLTF files to applications using VTK for 3D visualization. All systems running VTK versions up to 9.5.0 that process GLTF files are affected.

💻 Affected Systems

Products:

Kitware VTK (Visualization Toolkit)

Versions: All versions through 9.5.0

Operating Systems: All platforms where VTK is used (Windows, Linux, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use vtkGLTFDocumentLoader to parse GLTF files. Many scientific, medical, and engineering visualization applications incorporate VTK.

📦 What is this software?

Vtk by Vtk

View all CVEs affecting Vtk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the VTK application, potentially leading to full system compromise if the application runs with elevated privileges.

🟠

Likely Case

Application crashes (denial of service) when processing malicious GLTF files, with potential for memory corruption leading to arbitrary code execution.

🟢

If Mitigated

Limited to denial of service if memory corruption doesn't lead to reliable code execution, or if the application runs with minimal privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious GLTF files that trigger the use-after-free condition during mesh copy operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: VTK 9.5.1 or later

Vendor Advisory: https://gitlab.kitware.com/vtk/vtk/-/issues/19736

Restart Required: Yes

Instructions:

1. Check current VTK version. 2. Update to VTK 9.5.1 or later from official repositories. 3. Rebuild any applications using VTK. 4. Restart affected services.

🔧 Temporary Workarounds

Disable GLTF file processing

all

Prevent applications from loading GLTF files if not required

Configure applications to reject GLTF file formats

Input validation for GLTF files

all

Implement strict validation of GLTF files before passing to VTK

Add file validation layer in application code

🧯 If You Can't Patch

Isolate VTK applications in sandboxed environments with minimal privileges
Implement network segmentation to restrict access to VTK-based services

🔍 How to Verify

Check if Vulnerable:

Check if VTK version is ≤9.5.0 and application uses vtkGLTFDocumentLoader

Check Version:

vtkVersion::GetVTKVersion() or check package manager

Verify Fix Applied:

Verify VTK version is ≥9.5.1 and test with known malicious GLTF files

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing GLTF files
Memory access violation errors in logs

Network Indicators:

Unexpected GLTF file uploads to visualization services

SIEM Query:

source="application.log" AND ("segmentation fault" OR "access violation") AND "GLTF"

📊 Metadata

CVE ID: CVE-2025-57108

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.08% exploit probability (22.7th percentile)

Published: October 31, 2025

Last Updated: November 5, 2025

🔗 References

https://gitlab.kitware.com/vtk/vtk/-/issues/19736 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57108, you might also want to check these: