{"id":"CVE-2025-11012","details":"A vulnerability was determined in BehaviorTree up to 4.7.0. This affects the function ParseScript of the file /src/script_parser.cpp of the component Diagnostic Message Handler. Executing manipulation of the argument error_msgs_buffer can lead to stack-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. This patch is called cb6c7514efa628adb8180b58b4c9ccdebbe096e3. A patch should be applied to remediate this issue.","modified":"2026-04-12T17:58:59.713214Z","published":"2025-09-26T12:15:35.157Z","references":[{"type":"ADVISORY","url":"https://vuldb.com/?id.325955"},{"type":"ADVISORY","url":"https://vuldb.com/?submit.654074"},{"type":"REPORT","url":"https://github.com/BehaviorTree/BehaviorTree.CPP/pull/1007"},{"type":"REPORT","url":"https://vuldb.com/?ctiid.325955"},{"type":"REPORT","url":"https://github.com/BehaviorTree/BehaviorTree.CPP/issues/1006"},{"type":"FIX","url":"https://github.com/BehaviorTree/BehaviorTree.CPP/commit/cb6c7514efa628adb8180b58b4c9ccdebbe096e3"},{"type":"EVIDENCE","url":"https://github.com/user-attachments/files/22251337/poc.zip"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/behaviortree/behaviortree.cpp","events":[{"introduced":"0"},{"fixed":"9b3e791f8c09845866bf50faf2c56d7bcd99ea42"},{"fixed":"cb6c7514efa628adb8180b58b4c9ccdebbe096e3"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.7.3"}]}}],"versions":["2.0-beta","2.1.0","2.3.0","2.4.0","2.4.1","2.4.4","2.5.0","2.5.1","3.0.0","3.0.1","3.0.2","3.0.3","3.0.5","3.0.6","3.0.7","3.1.0","3.1.1","3.3.0","3.4.0","3.5.0","3.5.1","3.5.2","3.5.3","3.5.4","3.5.5","3.5.6","3.6.0","3.6.1","3.7.0","4.0.1","4.1.0","4.1.1","4.2.0","4.2.1","4.3.0","4.3.1","4.3.3","4.3.4","4.3.5","4.3.6","4.3.7","4.3.8","4.4.0","4.4.1","4.4.2","4.4.3","4.5.0","4.5.1","4.5.2","4.6.0","4.6.1","4.6.2","4.7.0","4.7.1","4.7.2"],"database_specific":{"vanir_signatures":[{"deprecated":false,"target":{"file":"src/script_parser.cpp"},"id":"CVE-2025-11012-0472e87e","signature_version":"v1","source":"https://github.com/behaviortree/behaviortree.cpp/commit/cb6c7514efa628adb8180b58b4c9ccdebbe096e3","digest":{"line_hashes":["299972901820116468240995868952412301025","187230475786396314504787625581860795190","8000962959017230140626677018927894376","166785937867902317807252838411773786620","186042818810901607241236083440119949769","181244248553334472322270774723020479597","8222420829122001987243535694810890899","41117119396467970039722853641412491991","38885781141770936162979416768057436075","8000962959017230140626677018927894376","166785937867902317807252838411773786620","186042818810901607241236083440119949769","181244248553334472322270774723020479597","8222420829122001987243535694810890899"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"function":"ParseScript","file":"src/script_parser.cpp"},"id":"CVE-2025-11012-b19c5423","signature_version":"v1","source":"https://github.com/behaviortree/behaviortree.cpp/commit/cb6c7514efa628adb8180b58b4c9ccdebbe096e3","digest":{"function_hash":"86196238422372887144497918021146705617","length":926},"signature_type":"Function"},{"deprecated":false,"target":{"function":"ValidateScript","file":"src/script_parser.cpp"},"id":"CVE-2025-11012-e829f998","signature_version":"v1","source":"https://github.com/behaviortree/behaviortree.cpp/commit/cb6c7514efa628adb8180b58b4c9ccdebbe096e3","digest":{"function_hash":"77407382039146176453379997684888407227","length":598},"signature_type":"Function"}],"vanir_signatures_modified":"2026-04-12T17:58:59Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11012.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}