CVE-2025-10998 in Open Babelinfo

Summary

by MITRE • 09/26/2025

A vulnerability has been found in Open Babel up to 3.1.1. The affected element is the function ChemKinFormat::ReadReactionQualifierLines of the file /src/formats/chemkinformat.cpp. The manipulation leads to null pointer dereference. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/30/2025

The vulnerability identified as CVE-2025-10998 represents a critical null pointer dereference flaw within the Open Babel chemical data processing library version 3.1.1 and earlier. This issue resides in the ChemKinFormat::ReadReactionQualifierLines function located in the /src/formats/chemkinformat.cpp source file, which is responsible for parsing chemical kinetic data formats commonly used in computational chemistry applications. The flaw manifests when the software attempts to access a null pointer reference during the processing of chemical reaction qualifier lines, creating a potential crash condition that can be exploited by malicious actors. Open Babel serves as a crucial bridge between various chemical file formats, making this vulnerability particularly concerning for scientific computing environments where chemical data exchange is fundamental to research and development workflows.

The technical exploitation of this vulnerability occurs through a local attack vector where an adversary must have access to the system running Open Babel to trigger the null pointer dereference condition. This limitation reduces the attack surface compared to remote exploits but does not eliminate the risk entirely, as local privilege escalation or pre-existing system compromise scenarios could still lead to successful exploitation. The vulnerability classifies under CWE-476 which specifically addresses null pointer dereference conditions, where a program attempts to access memory through a null pointer reference. The flaw essentially occurs when the ReadReactionQualifierLines function fails to properly validate input data or handle edge cases during chemical reaction qualifier line parsing, resulting in the program attempting to dereference a null pointer that should have been properly initialized or validated.

The operational impact of this vulnerability extends beyond simple application crashes, potentially disrupting critical scientific workflows and computational chemistry research processes that depend on Open Babel for data format conversion and processing. When exploited successfully, the null pointer dereference can cause the application to terminate abruptly, leading to loss of unsaved work and potential data corruption in chemical databases or reaction modeling environments. This is particularly problematic in high-throughput computational chemistry settings where automated processing pipelines rely on Open Babel for seamless data integration across different chemical file formats. The public disclosure of the exploit means that adversaries with local access to systems running vulnerable versions of Open Babel can leverage this flaw to cause denial of service conditions or potentially gain unauthorized access to sensitive chemical research data. The vulnerability affects any application or workflow that utilizes the ChemKinFormat::ReadReactionQualifierLines function, including laboratory information management systems, computational chemistry software suites, and research data processing pipelines.

Organizations and researchers using Open Babel should immediately prioritize updating to version 3.1.2 or later, which contains the necessary patches to address this null pointer dereference vulnerability. System administrators should also implement monitoring and logging for any unusual process termination events or crash patterns in chemical data processing environments. The mitigation strategy should include comprehensive testing of updated versions in laboratory and research environments to ensure compatibility with existing workflows and data processing pipelines. Additionally, implementing access controls and privilege separation measures can help limit the potential impact of local exploitation attempts, while regular security assessments of scientific computing environments should include evaluation of third-party libraries like Open Babel for known vulnerabilities. The ATT&CK framework categorizes this type of vulnerability under T1499 which covers network share discovery and T1059 which covers command and scripting interpreter, indicating that local exploitation could potentially lead to broader system compromise if combined with other attack vectors or if the vulnerable system has additional attack surfaces.

Responsible

VulDB

Disclosure

09/26/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00187

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!