What is the CVSS score of CVE-2025-55647?

CVE-2025-55647 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.2%.

Which versions of GPAC MP4Box are affected by CVE-2025-55647?

GPAC's MP4Box is vulnerable to a denial-of-service attack when processing malformed MP4 video files, potentially disrupting media processing pipelines and video streaming operations.

How to fix or mitigate CVE-2025-55647?

Within 24 hours: Identify all systems running GPAC MP4Box and determine which process externally-sourced or untrusted MP4 files; document dependencies in DASH, encoding, and streaming pipelines. Within 7 days: Implement file input validation and resource limits (memory caps, process limits) on all MP4Box instances; move untrusted media processing to isolated, resource-constrained containers or sandboxes. Within 30 days: Establish vendor contact for patch timeline and interim advisories; evaluate alternative media processing frameworks; require cryptographic signature or format validation for all inbound MP4 files.

GPAC MP4Box CVE-2025-55647

EUVD-2025-210146 MEDIUM

Integer Overflow or Wraparound (CWE-190)

2026-06-13

GHSA-44vh-hwch-5r66

Denial Of Service Integer Overflow Gpac

5.5

CVSS 3.1 · Vendor

Severity by source

Vendor (CNA) PRIMARY

5.5 MEDIUM

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

vuln.today AI

4.3 MEDIUM

Network-delivered file triggers crash only with active user interaction; no confidentiality or integrity impact, process-level availability loss only.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Severity Changed

Jun 15, 2026 - 21:22 NVD

CRITICAL MEDIUM

CVSS changed

Jun 15, 2026 - 21:22 NVD

5.5 (CRITICAL) 5.5 (MEDIUM)

Analysis Generated

Jun 13, 2026 - 22:23 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Integer overflow in GPAC's MP4Box causes an out-of-memory crash when processing crafted MP4 files with malformed Protection System Specific Header (PSSH) metadata during DASH segmentation. The function mp4_mux_cenc_insert_pssh() in filters/mux_isom.c fails to validate attacker-controlled kid_count and dataSize fields before using them in a buffer size calculation, causing realloc() to request approximately 61 GB (0xe40000100 bytes), which crashes the process. A public proof-of-concept MP4 file is available on GitHub; no active exploitation has been confirmed and no CISA KEV listing exists. The CVSS 3.1 score of 4.3 MEDIUM reflects the user-interaction requirement and limited availability impact.

Technical ContextAI

GPAC is an open-source multimedia framework widely used for MP4/ISOBMFF file manipulation and MPEG-DASH packaging. MP4Box is its command-line tool. The vulnerability resides in the CENC (Common Encryption) PSSH (Protection System Specific Header) muxing logic within filters/mux_isom.c. CWE-190 (Integer Overflow or Wraparound) describes the root cause: attacker-controlled size fields (kid_count, dataSize) embedded in the MP4 file's PSSH box are consumed by mp4_mux_cenc_insert_pssh() without bounds checking. The arithmetic used to calculate the buffer allocation size overflows a fixed-width integer type, producing a very large (but arithmetically valid from the CPU's perspective) value, which is then passed directly to realloc(). The affected code path is exercised specifically during DASH segmentation (mp4_mux_start_fragment()). AddressSanitizer confirms the crash at mux_isom.c:4326 with an allocation request of 0xe40000100 bytes. The fix is present in upstream commit e95f3064d846e4606276fff111e0f97df1576a04.

RemediationAI

The upstream fix is available as commit e95f3064d846e4606276fff111e0f97df1576a04 in the GPAC GitHub repository (https://github.com/gpac/gpac). Users building GPAC from source should pull and rebuild from at least this commit. A patched tagged release version has not been independently confirmed from the available data - monitor the GPAC GitHub releases page for an official versioned release incorporating this fix. As a compensating control where patching is not immediately possible, avoid processing untrusted or externally sourced MP4 files with the -dash segmentation flag. If MP4Box is used in an automated media processing pipeline, run it inside a sandboxed process (e.g., seccomp, Docker with memory limits) so that an OOM crash cannot affect the broader service. Restricting the maximum file size accepted from external sources may reduce exposure but will not prevent exploitation of files within typical size bounds.

More from same product – last 7 days

CVE-2025-55642 MEDIUM This Month

6.5 Jun 13

Divide-by-zero in GPAC's MP4Box AVI demuxer crashes the process when handling crafted media files with zero-declared fra

CVE-2025-55648 MEDIUM This Month

5.5 Jun 13

Heap-based buffer overflow in GPAC MP4Box (all versions prior to fix commit 61bbfd2e89553373ba3449b8ec05b5f098d732a5) al

CVE-2025-55649 MEDIUM This Month

5.5 Jun 13

NULL pointer dereference in GPAC's MP4Box fragmentation pipeline allows unauthenticated remote attackers to crash the ap

CVE-2025-55641 MEDIUM This Month

5.5 Jun 13

NULL pointer dereference in GPAC's MP4Box crashes the application when importing a crafted MP4 file containing corrupted

CVE-2025-55644 MEDIUM This Month

5.5 Jun 13

Use-after-free memory corruption in GPAC's MP4Box triggers via gf_node_get_tag when parsing a crafted MP4 file containin

CVE-2025-55647 vulnerability details – vuln.today

Back

GPAC MP4Box CVE-2025-55647

Severity by source

CVSS VectorVendor

Lifecycle Timeline

Description PRE-NVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code