What is the CVSS score of CVE-2025-60477?

CVE-2025-60477 has a CVSS 3.1 base score of 5.0 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Is there a public PoC exploit available for CVE-2025-60477?

Yes, a public proof-of-concept exploit is available for CVE-2025-60477. Prioritise patching immediately. EPSS: 0.0%.

GPAC MP4Box CVE-2025-60477

EUVD-2025-210053 MEDIUM

NULL Pointer Dereference (CWE-476)

2026-06-03 cve@mitre.org

GHSA-f3gg-2qff-fg59

Denial Of Service Null Pointer Dereference

5.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.0 MEDIUM

AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 03, 2026 - 18:26 vuln.today

Analysis Generated

Jun 03, 2026 - 18:26 vuln.today

CVSS changed

Jun 03, 2026 - 18:22 NVD

5.0 (None) 5.0 (MEDIUM)

CVE Published

Jun 03, 2026 - 14:16 nvd

UNKNOWN (no severity yet)

DescriptionCVE.org

A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.

AnalysisAI

NULL pointer dereference in GPAC MP4Box before version 26.02.0 crashes the process when a local user processes a crafted media file, resulting in Denial of Service. The flaw exists in gf_filter_pid_resolve_file_template_ex (filter_pid.c), where prop_val->value.string is passed to strncmp without a prior null check - confirmed by upstream commit diff. Publicly available exploit code exists, but SSVC signals no active exploitation and non-automatable attack conditions; no CISA KEV listing is present.

Technical ContextAI

GPAC is an open-source multimedia framework; MP4Box is its command-line tool for MP4 file manipulation and media pipeline processing. The vulnerability (CWE-476, NULL Pointer Dereference) resides in src/filter_core/filter_pid.c within gf_filter_pid_resolve_file_template_ex. The code evaluated strncmp(prop_val->value.string, "gmem://", 7) after checking prop_val was non-null, but failed to also verify that prop_val->value.string itself was non-null. When a crafted file causes this string field to be null, the dereference faults. The upstream fix (commit 13eb5b76560aaf7813b865a2ad433258478e2695) adds prop_val->value.string && as an additional guard in the conditional. The same commit also patches related null-pointer and bounds issues in load_text.c, av_parsers.c, and odf/descriptors.c, suggesting a broader null-safety audit was triggered by this report.

RemediationAI

Upgrade GPAC MP4Box to version 26.02.0 or later, which incorporates the null-pointer guard added in upstream commit 13eb5b76560aaf7813b865a2ad433258478e2695 (https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433208478e2695). Note: the patched release version 26.02.0 is inferred from the CVE description; the upstream fix is confirmed as a commit but an independently verified tagged release was not confirmed from the provided references - verify the release tag in the GPAC GitHub repository before deploying. If immediate upgrade is not feasible, restrict MP4Box execution to processing only trusted, internally generated media files, and prevent any untrusted or externally supplied files from being passed to MP4Box. Because exploitation requires a local user to open the crafted file, disabling untrusted file processing via organizational policy or filesystem access controls is an effective interim control with minimal operational trade-off.

CVE-2025-60477 vulnerability details – vuln.today

Back