GPAC MP4Box CVE-2025-70116
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).
AnalysisAI
NULL pointer dereference in GPAC MP4Box crashes the application when parsing specially crafted truncated MP4 files, resulting in a denial-of-service condition. The vulnerability triggers in the gf_media_map_esd function (media_tools/isom_tools.c, line ~1364) when an invalid or unknown stsd (Sample Table Sample Description) entry leaves codec, mime, or profile descriptor fields uninitialized - the function then calls strlen() on a NULL pointer, producing a segmentation fault (SEGV). A publicly available exploit code exists demonstrating the crash, though EPSS at 0.02% (6th percentile) signals negligible widespread exploitation probability and the vulnerability is not listed in CISA KEV.
Technical ContextAI
GPAC is an open-source multimedia framework widely used for MP4 container manipulation; MP4Box is its command-line tool for packaging, inspecting, and converting media files. The vulnerability resides in CWE-476 (NULL Pointer Dereference): within the ISO Base Media File Format parsing path, the stsd (Sample Table Sample Description) box describes how media samples are encoded. When a truncated or malformed MP4 file contains an unknown or invalid stsd entry, GPAC fails to populate codec/mime/profile descriptor strings, leaving them as NULL pointers. The gf_media_map_esd function subsequently passes these unvalidated pointers to strlen(), which dereferences NULL and triggers an AddressSanitizer-detected SEGV. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-deliverable via a crafted file, requires no privileges, but mandates that a user actively processes the file with MP4Box.
Affected ProductsAI
GPAC MP4Box is confirmed affected, with the vulnerability specifically located in media_tools/isom_tools.c around line 1364. The exact affected version range is not specified in the available data - no CPE strings or version boundaries were provided, and no vendor advisory with version constraints has been published. The issue is tracked at the upstream GitHub repository at https://github.com/gpac/gpac/issues/3345. Users should consult that issue for the latest version information as the fix status evolves.
RemediationAI
No vendor-released patch with a confirmed fix version has been identified at time of analysis. The issue is tracked upstream at https://github.com/gpac/gpac/issues/3345 - users should monitor this issue for patch availability and upgrade to the fixed release once published. As an immediate compensating control, operators should restrict MP4Box from processing untrusted or externally supplied MP4 files; this eliminates the attack surface since UI:R means the vulnerability cannot be triggered without user or pipeline action. In automated media processing environments, adding pre-validation to reject truncated or malformed MP4 files (e.g., checking file completeness before invoking MP4Box) is a practical workaround with minimal operational trade-off. Running MP4Box in a sandboxed or containerized environment limits the blast radius of a crash to an isolated process rather than a broader service.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today