GPAC MP4Box CVE-2025-55651
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
A NULL pointer dereference in the gf_isom_get_user_data_count function (isomedia/isom_read.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
AnalysisAI
NULL pointer dereference in GPAC MP4Box v2.4 crashes the application when parsing a maliciously crafted MP4 file, enabling a Denial of Service against any user or pipeline that processes untrusted media with this tool. The flaw resides in gf_isom_get_user_data_count within isomedia/isom_read.c, where an unvalidated pointer is dereferenced during user-data atom counting. Publicly available exploit code exists as a crafted MP4 PoC, though no public exploit identified at time of analysis in CISA KEV and EPSS sits at the 5th percentile, suggesting minimal observed exploitation activity.
Technical ContextAI
GPAC is an open-source multimedia framework; MP4Box is its ISO Base Media File Format (ISOBMFF/MP4) muxing and analysis CLI tool. The vulnerable function gf_isom_get_user_data_count in isomedia/isom_read.c is responsible for traversing user-data (UDTA) boxes within an MP4 container to count embedded metadata entries. CWE-476 (NULL Pointer Dereference) indicates that a pointer - likely a box or track handle - is not validated before dereferencing, meaning a specially constructed MP4 that omits or malforms expected structures causes a null deref and process crash. The CPE data provided (cpe:2.3:a:n/a:n/a) is generic and not vendor-attributed by NVD, so version scope beyond the stated v2.4 is unconfirmed from available data.
RemediationAI
No vendor-released patch identified at time of analysis. No official GPAC security advisory was found among the provided references. As a compensating control, avoid passing untrusted or externally sourced MP4 files to MP4Box in automated pipelines - restrict input to files from trusted, integrity-verified sources only. For processing pipelines that must handle untrusted media, run MP4Box inside an isolated container or sandbox (e.g., seccomp-restricted Docker container or gVisor) to limit crash blast radius to the sandboxed process. If MP4Box is used interactively, advise users not to process MP4 files from unknown sources until a patch is confirmed. Monitor the GPAC GitHub repository (https://github.com/gpac/gpac) for commits addressing gf_isom_get_user_data_count in isomedia/isom_read.c as an indicator of an upstream fix.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today