What is the CVSS score of CVE-2025-55641?

CVE-2025-55641 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.2%.

Which versions of GPAC MP4Box are affected by CVE-2025-55641?

GPAC's MP4Box is vulnerable to denial-of-service attacks triggered by maliciously crafted MP4 files, and publicly available exploit code exists.

How to fix or mitigate CVE-2025-55641?

Within 24 hours: Identify all systems running GPAC/MP4Box, document versions in use, and assess which systems process files from untrusted sources. Within 7 days: Restrict MP4Box to process only files from pre-validated, internal sources; disable user-initiated file uploads to at-risk systems; subscribe to GPAC's security advisories. Within 30 days: Implement alternative video processing libraries with better patch cadences, or establish automated patch deployment for future GPAC releases.

GPAC MP4Box CVE-2025-55641

EUVD-2025-210141 MEDIUM

NULL Pointer Dereference (CWE-476)

2026-06-13

GHSA-63vp-58qx-xx8w

Denial Of Service Null Pointer Dereference Gpac

5.5

CVSS 3.1 · Vendor

Severity by source

Vendor (CNA) PRIMARY

5.5 MEDIUM

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

vuln.today AI

4.3 MEDIUM

File delivered over network (AV:N), user must invoke MP4Box on it (UI:R), crash is application-only with no C/I impact (A:L, S:U, C:N, I:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Severity Changed

Jun 15, 2026 - 21:22 NVD

HIGH MEDIUM

CVSS changed

Jun 15, 2026 - 21:22 NVD

5.5 (HIGH) 5.5 (MEDIUM)

Analysis Generated

Jun 13, 2026 - 22:21 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

NULL pointer dereference in GPAC's MP4Box crashes the application when importing a crafted MP4 file containing corrupted Sample Auxiliary Information (SAI) metadata with an invalid sai_samples count. The function gf_isom_copy_sample_info() in isomedia/isom_write.c:8164 fails to validate pointers after SAI merge handling fails, resulting in a SEGV read at address 0x0 and an application crash. A publicly available proof-of-concept MP4 file exists on GitHub; however, this CVE is not in CISA KEV, and exploitation is constrained to a denial-of-service (process crash) with no code execution or data exposure demonstrated.

Technical ContextAI

GPAC is an open-source multimedia framework; MP4Box is its primary command-line tool for ISO Base Media File Format (ISOBMFF) manipulation including track import, remuxing, and splitting. The vulnerable function gf_isom_copy_sample_info() resides in isomedia/isom_write.c and is responsible for copying Sample Auxiliary Information (SAI) - metadata structures defined in the ISOBMFF specification that carry per-sample auxiliary data such as encryption info. CWE-476 (NULL Pointer Dereference) describes the root cause: when the SAI merge step encounters an invalid sai_samples count and fails, the function does not guard subsequent pointer dereferences, leading to a read from address 0x0. The crash call stack traverses gf_import_isomedia() → gf_import_isomedia_track() → gf_isom_copy_sample_info(), meaning the flaw is reached specifically during track import operations. The affected codebase is gpac/gpac on master prior to commit f87b30611380e4dcd03cd4dd9ac553c0ec336826. No CPE string was provided in the available input data; exact release version boundaries are not independently confirmed.

RemediationAI

The upstream fix is available as commit f87b30611380e4dcd03cd4dd9ac553c0ec336826 in the gpac/gpac repository; however, a tagged GPAC release incorporating this patch has not been independently confirmed from the available data, so this should be treated as an upstream fix available via source rather than a vendor-released versioned patch. Users building GPAC from source should update to a revision at or after this commit. For operators who cannot immediately rebuild, the primary compensating control is to restrict MP4Box input to files sourced exclusively from trusted, pre-validated origins - do not pass user-supplied or third-party MP4 files directly to MP4Box import operations. In automated pipelines, adding a pre-screening step that rejects MP4 files with malformed SAI boxes (e.g., using a separate validator or sandboxed parsing pass) can prevent the vulnerable code path from being reached; the trade-off is added pipeline latency and the need to maintain a separate parsing component. Sandboxing the MP4Box process (e.g., with seccomp or a container with limited restart policy) limits the blast radius of a crash to the isolated process rather than the broader service. The oss-security advisory is at https://seclists.org/oss-sec/2026/q2/909 and the upstream issue at https://github.com/gpac/gpac/issues/3195.

More from same product – last 7 days

CVE-2025-55642 MEDIUM This Month

6.5 Jun 13

Divide-by-zero in GPAC's MP4Box AVI demuxer crashes the process when handling crafted media files with zero-declared fra

CVE-2025-55648 MEDIUM This Month

5.5 Jun 13

Heap-based buffer overflow in GPAC MP4Box (all versions prior to fix commit 61bbfd2e89553373ba3449b8ec05b5f098d732a5) al

CVE-2025-55649 MEDIUM This Month

5.5 Jun 13

NULL pointer dereference in GPAC's MP4Box fragmentation pipeline allows unauthenticated remote attackers to crash the ap

CVE-2025-55644 MEDIUM This Month

5.5 Jun 13

Use-after-free memory corruption in GPAC's MP4Box triggers via gf_node_get_tag when parsing a crafted MP4 file containin

CVE-2025-55650 MEDIUM This Month

5.5 Jun 13

Heap use-after-free in GPAC MP4Box's MPEG-4 LASeR/SVG processing path crashes the tool when parsing a crafted MP4 file w

CVE-2025-55641 vulnerability details – vuln.today

Back

GPAC MP4Box CVE-2025-55641

Severity by source

CVSS VectorVendor

Lifecycle Timeline

Description PRE-NVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code