Skip to main content

GPAC MP4Box CVE-2025-60473

| EUVDEUVD-2025-210334 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-25 cve@mitre.org GHSA-8hg9-39h6-3rjm
5.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local file processing tool with no network surface; no privileges needed to invoke MP4Box; user must trigger processing; crash produces availability impact only with no C/I effect.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 25, 2026 - 15:24 vuln.today
Analysis Generated
Jun 25, 2026 - 15:24 vuln.today
CVSS changed
Jun 25, 2026 - 15:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 25, 2026 - 00:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A NULL pointer dereference in the gf_filter_in_parent_chain function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.

AnalysisAI

NULL pointer dereference in GPAC MP4Box's filter pipeline traversal function crashes the application when processing a specially crafted media file. Affected versions prior to 26.02.0 fail to validate the pidi->pid pointer before dereferencing it inside gf_filter_in_parent_chain (filter_pid.c:2176), enabling a local attacker to cause a Denial of Service by supplying a malicious input file. No public exploit identification as KEV, but a publicly available proof-of-concept exists on GitHub; EPSS of 0.17% (6th percentile) reflects low observed exploitation probability consistent with the local-only, user-interaction-required attack vector.

Technical ContextAI

GPAC is an open-source multimedia framework; MP4Box is its command-line ISO media file packager and manipulator widely used in media processing pipelines and research. The vulnerable function gf_filter_in_parent_chain traverses GPAC's internal filter graph to determine parent-chain relationships. The root cause (CWE-476: NULL Pointer Dereference) is a missing NULL guard on pidi->pid before it is dereferenced to access pidi->pid->filter. A crafted input file can drive the filter graph into a state where pidi->pid is NULL at recursion time, causing an immediate crash. The one-line upstream fix (commit b8d80b44718de10b101e1d7fc17c84d69feb092e) adds the guard if (pidi->pid && gf_filter_in_parent_chain(...)), confirming the flaw is purely a missing defensive check rather than a logic or memory-corruption issue.

RemediationAI

Upgrade to GPAC version 26.02.0 or any version containing commit b8d80b44718de10b101e1d7fc17c84d69feb092e (github.com/gpac/gpac/commit/b8d80b44718de10b101e1d7fc17c84d69feb092e). This is the confirmed upstream fix and the primary remediation. If upgrading immediately is not possible, restrict MP4Box usage to trusted, internally generated media files only - do not process untrusted or user-supplied files with a vulnerable version. For automated ingestion pipelines, quarantine and pre-validate media files before passing them to MP4Box; this reduces exposure but does not eliminate it, since the validation logic itself must be external. The trade-off of the workaround is operational disruption to any workflow relying on third-party media ingestion. The GitHub issue tracking this flaw is at github.com/gpac/gpac/issues/3285.

More in Gpac

View all
CVE-2023-46932 CRITICAL POC
9.8 Dec 09

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitra

CVE-2023-2840 CRITICAL POC
9.8 May 22

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-36190 CRITICAL POC
9.8 Aug 17

GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. Rated crit

CVE-2022-1795 CRITICAL POC
9.8 May 18

Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2021-28300 CRITICAL POC
9.8 Apr 14

NULL Pointer Dereference in the "isomedia/track.c" module's "MergeTrack()" function of GPAC v0.5.2 allows attackers to e

CVE-2020-11558 CRITICAL POC
9.8 Apr 05

An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. Rated critical severity (CVSS 9.8), this

CVE-2018-13005 CRITICAL POC
9.8 Jun 29

An issue was discovered in MP4Box in GPAC 0.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2023-2838 CRITICAL POC
9.1 May 22

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2023-0841 HIGH POC
8.8 Feb 15

A vulnerability, which was classified as critical, has been found in GPAC 2.3-DEV-rev40-g3602a5ded.c. Rated high severit

CVE-2022-4202 HIGH POC
8.8 Nov 29

A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master. Rated high sev

CVE-2021-21850 HIGH POC
8.8 Aug 25

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv

CVE-2021-21849 HIGH POC
8.8 Aug 25

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv

Share

CVE-2025-60473 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy