CVE-2025-10999 in Open Babelinfo

Summary

by MITRE • 09/26/2025

A vulnerability was found in Open Babel up to 3.1.1. The impacted element is the function CacaoFormat::SetHilderbrandt of the file /src/formats/cacaoformat.cpp. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit has been made public and could be used.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/30/2025

The vulnerability identified as CVE-2025-10999 represents a critical null pointer dereference flaw within the Open Babel chemical file format processing library. This issue specifically affects the CacaoFormat::SetHilderbrandt function located in the /src/formats/cacaoformat.cpp source file, making it a targeted weakness within the software's chemical data handling capabilities. Open Babel, a widely used chemical toolbox for converting between various chemical file formats, is impacted by this vulnerability in versions up to 3.1.1, creating potential security risks for users who process chemical data files through this library.

The technical nature of this flaw stems from improper input validation within the CacaoFormat::SetHilderbrandt function, which fails to adequately check for null pointer conditions before attempting to dereference memory addresses. This type of vulnerability falls under CWE-476, which specifically addresses null pointer dereference conditions that can lead to application crashes or potentially exploitable states. The vulnerability's classification as a null pointer dereference indicates that the function attempts to access memory through a pointer that has not been properly initialized or validated, creating an execution path that can result in program termination or system instability.

The operational impact of this vulnerability is significant within the chemical informatics domain where Open Babel serves as a critical component for data conversion and processing. Attackers with local access can exploit this flaw by crafting malicious Cacao format files that trigger the null pointer dereference condition, potentially causing denial of service or system instability. While the vulnerability requires local access for exploitation, its public availability means that malicious actors can leverage this weakness to disrupt chemical data processing workflows, particularly in environments where automated file conversion processes are in place. The exploitability of this vulnerability is further enhanced by its presence in widely distributed software components that may be used across various chemical research and industrial applications.

Security mitigations for this vulnerability should prioritize immediate software updates to versions that contain patches addressing the null pointer dereference in the CacaoFormat::SetHilderbrandt function. System administrators and users should implement input validation measures to prevent processing of untrusted chemical format files, particularly those originating from external sources. The ATT&CK framework categorizes this type of vulnerability under T1203, which involves exploitation of software vulnerabilities for privilege escalation or denial of service attacks. Organizations should also consider implementing network segmentation and access controls to limit local access to systems running Open Babel, while monitoring for anomalous file processing activities that might indicate exploitation attempts. Additionally, regular security assessments of chemical data processing pipelines should include verification of software versions and patch status to prevent exploitation of known vulnerabilities in widely used chemical informatics tools.

Responsible

VulDB

Disclosure

09/26/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00188

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!