What is the CVSS score of CVE-2025-55649?

CVE-2025-55649 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.2%.

Which versions of GPAC MP4Box are affected by CVE-2025-55649?

GPAC's MP4Box media processing tool is vulnerable to remote denial-of-service attacks via specially crafted MP4 files, potentially impacting any systems that process untrusted media content.

How to fix or mitigate CVE-2025-55649?

Within 24 hours: Inventory all systems and applications using GPAC MP4Box; segregate GPAC processing of untrusted files to isolated/sandboxed environments. Within 7 days: Implement strict MP4 file validation at ingestion points; deploy media sanitization/filtering to reject files with malformed ESD structures. Within 30 days: Monitor GPAC project repository for patch announcement; evaluate alternative media processing libraries (FFmpeg, libav) as contingency if patch unavailable beyond 90 days.

GPAC MP4Box CVE-2025-55649

EUVD-2025-210148 MEDIUM

NULL Pointer Dereference (CWE-476)

2026-06-13

GHSA-8657-m7g3-wrq5

Denial Of Service Null Pointer Dereference Gpac

5.5

CVSS 3.1 · Vendor

Severity by source

Vendor (CNA) PRIMARY

5.5 MEDIUM

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

vuln.today AI

4.3 MEDIUM

Network-delivered file requires active user invocation (UI:R); crash-only impact with no code execution warrants A:L, C:N, I:N.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Severity Changed

Jun 15, 2026 - 21:22 NVD

CRITICAL MEDIUM

CVSS changed

Jun 15, 2026 - 21:22 NVD

5.5 (CRITICAL) 5.5 (MEDIUM)

Analysis Generated

Jun 13, 2026 - 22:19 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

NULL pointer dereference in GPAC's MP4Box fragmentation pipeline allows unauthenticated remote attackers to crash the application by supplying a crafted MP4 file with corrupted Elementary Stream Descriptor (ESD) data. The function gf_media_map_esd() in media_tools/isom_tools.c at line 1359 calls strlen() on esd->URLString without verifying the pointer is non-NULL, triggering a SEGV when the ESD contains a missing or corrupted URLString field. A public proof-of-concept MP4 file exists; no active exploitation has been confirmed (not in CISA KEV). EPSS data is not available in the provided intelligence.

Technical ContextAI

GPAC is an open-source multimedia framework; MP4Box is its command-line ISO Base Media File Format (ISOBMFF/MP4) processing tool widely used for fragmenting, packaging, and inspecting MP4 streams. The vulnerable code path is triggered during track declaration when MP4Box is invoked with the -frag flag: isor_declare_track() calls gf_media_map_esd(), which attempts to call the C standard library strlen() on the URLString field of an ESDescriptor struct (esd->URLString). When a crafted MP4 provides a corrupted or absent ESD, this pointer is NULL, causing a read access violation at address 0x0 (zero page dereference). The root cause class is CWE-476 (NULL Pointer Dereference) - a missing NULL guard before a pointer dereference. AddressSanitizer confirms the exact crash site at isom_tools.c:1359. The CVSS 3.1 vector provided in the advisory is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L (score 4.3 MEDIUM), reflecting network delivery with required user interaction and availability-only impact.

RemediationAI

The upstream fix is available as commit 09e7063ed0a13b4cee9a180a56dcc21e9f9ade07 in the gpac/gpac repository (https://github.com/gpac/gpac); however, a tagged release version incorporating this fix has not been independently confirmed from the available data - users building from source should pull a revision at or after this commit. As a compensating control for organizations running MP4Box in automated pipelines, restrict the tool to processing only trusted, internally-generated MP4 files and reject user-supplied files before they reach the fragmentation stage. If the -frag command is not operationally required, disabling or blocking invocations of MP4Box -frag on untrusted input eliminates this specific attack surface with no side effects on other MP4Box functionality. There is no configuration knob to disable ESD parsing independently; the fix requires a code-level NULL guard before the strlen() call in gf_media_map_esd().

More from same product – last 7 days

CVE-2025-55642 MEDIUM This Month

6.5 Jun 13

Divide-by-zero in GPAC's MP4Box AVI demuxer crashes the process when handling crafted media files with zero-declared fra

CVE-2025-55648 MEDIUM This Month

5.5 Jun 13

Heap-based buffer overflow in GPAC MP4Box (all versions prior to fix commit 61bbfd2e89553373ba3449b8ec05b5f098d732a5) al

CVE-2025-55641 MEDIUM This Month

5.5 Jun 13

NULL pointer dereference in GPAC's MP4Box crashes the application when importing a crafted MP4 file containing corrupted

CVE-2025-55644 MEDIUM This Month

5.5 Jun 13

Use-after-free memory corruption in GPAC's MP4Box triggers via gf_node_get_tag when parsing a crafted MP4 file containin

CVE-2025-55650 MEDIUM This Month

5.5 Jun 13

Heap use-after-free in GPAC MP4Box's MPEG-4 LASeR/SVG processing path crashes the tool when parsing a crafted MP4 file w

CVE-2025-55649 vulnerability details – vuln.today

Back

GPAC MP4Box CVE-2025-55649

Severity by source

CVSS VectorVendor

Lifecycle Timeline

Description PRE-NVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code