EUVD-2025-210142
GHSA-79v6-5w6w-c48m
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Network vector applies as file can be remotely delivered; UI:R because a user or pipeline must actively invoke MP4Box on the crafted input; availability-only impact with no confidentiality or integrity consequences.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description PRE-NVD
AnalysisAI
Divide-by-zero in GPAC's MP4Box AVI demuxer crashes the process when handling crafted media files with zero-declared frame counts. Specifically, avidmx_process() in filters/dmx_avi.c:639 fails to validate the frame count before using it as a divisor during Dasher bitrate computation, triggering an uncaught floating-point exception (FPE) when DASH segmentation is invoked. A public proof-of-concept file exists; exploitation requires no authentication or special privileges beyond delivering a malformed AVI-like input to an affected MP4Box instance. EPSS data is not yet available, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
Technical ContextAI
GPAC is an open-source multimedia framework; MP4Box is its command-line tool for ISOBMFF/MP4 packaging, DASH segmentation, and format conversion. The vulnerable code path lives in filters/dmx_avi.c, the AVI demuxer filter. When MP4Box runs DASH segmentation (-dash flag), the Dasher pipeline calls gf_dasher_process(), which in turn invokes the AVI demuxer filter avidmx_process(). If no bitrate property has been assigned to the PID, the Dasher attempts to compute bitrate from the bitstream, dividing by the frame count sourced from the AVI metadata. A crafted file can declare a frame count of 0/256, causing an integer or floating-point division by zero at line 639. The root cause class is CWE-369 (Divide by Zero) - insufficient input validation of a metadata field that is subsequently used as a divisor. The affected codebase is gpac/gpac prior to upstream commit f87b30611380e4dcd03cd4dd9ac553c0ec336826. No CPE string has been formally assigned by NVD at time of analysis, but the affected component is identifiable as the gpac:gpac product line.
RemediationAI
The upstream fix is available as commit f87b30611380e4dcd03cd4dd9ac553c0ec336826 in the gpac/gpac repository; organizations building from source should update to a commit at or after this hash. No officially tagged patched release version has been independently confirmed at time of analysis. For environments that cannot immediately update, a viable compensating control is to restrict or disable DASH segmentation workflows (-dash flag) that process untrusted or externally-supplied AVI files, as the crash is only triggered through the DASH segmentation code path via gf_dasher_process(). Input validation at the ingest boundary - rejecting AVI files with zero or implausible frame-count metadata before passing them to MP4Box - is a second practical mitigation. Sandboxing or containerizing MP4Box processes handling untrusted media will limit blast radius to a single process crash rather than broader service disruption. The GitHub issue is at https://github.com/gpac/gpac/issues/3196.
More from same product – last 7 days
Heap-based buffer overflow in GPAC MP4Box (all versions prior to fix commit 61bbfd2e89553373ba3449b8ec05b5f098d732a5) al
NULL pointer dereference in GPAC's MP4Box fragmentation pipeline allows unauthenticated remote attackers to crash the ap
NULL pointer dereference in GPAC's MP4Box crashes the application when importing a crafted MP4 file containing corrupted
Use-after-free memory corruption in GPAC's MP4Box triggers via gf_node_get_tag when parsing a crafted MP4 file containin
Heap use-after-free in GPAC MP4Box's MPEG-4 LASeR/SVG processing path crashes the tool when parsing a crafted MP4 file w
Share
External POC / Exploit Code
Leaving vuln.today