EUVD-2025-210144
GHSA-2j29-6f2f-79fx
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Network-deliverable crafted file, no privileges required, but user must open it; UAF yields full memory corruption impact.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description PRE-NVD
Articles & Coverage 1
AnalysisAI
Use-after-free memory corruption in GPAC's MP4Box triggers via gf_node_get_tag when parsing a crafted MP4 file containing an invalid BIFS GlobalQuantizer command. Any user or automated pipeline processing an attacker-supplied MP4 file with an affected GPAC build is exposed. Exploitation could yield arbitrary code execution or a reliable crash, depending on heap layout at the time of the free. No public exploit code or CISA KEV listing has been identified at time of analysis.
Technical ContextAI
GPAC is an open-source multimedia framework widely used for MP4 file packaging, inspection, and scene graph manipulation. MP4Box is its primary command-line interface. BIFS (Binary Format for Scenes) is the ISO/IEC 14496-11 binary encoding of MPEG-4 scene graphs; the GlobalQuantizer command within BIFS sets floating-point quantization parameters applied to subsequent scene nodes. The vulnerability resides in gf_node_get_tag, a function that retrieves the type tag of a scene-graph node pointer. An invalid GlobalQuantizer command can trigger premature freeing of a node object; a subsequent call to gf_node_get_tag then dereferences the freed pointer, producing a classic CWE-416 (Use After Free) condition. No CPE strings were supplied in the source data, so exact affected version ranges have not been independently confirmed. CWE is not explicitly stated in the advisory but the UAF class is unambiguous from the oss-security subject line.
RemediationAI
No vendor-released patch version has been identified in the available source data. Consumers should monitor the GPAC GitHub repository for a tagged release or commit that addresses CVE-2025-55644 and upgrade as soon as one is available. As a compensating control, avoid processing untrusted or externally-sourced MP4 files with MP4Box or any application linking libgpac until a patch is confirmed. If GPAC is deployed in a server-side media pipeline, restrict file ingestion to validated, trusted sources and add process-level sandboxing (e.g., seccomp, AppArmor, or container isolation) to limit the blast radius of a successful UAF exploit. Running MP4Box under a low-privilege user without write access to sensitive paths reduces the impact of code execution. See https://seclists.org/oss-sec/2026/q2/903 for the original disclosure.
More from same product – last 7 days
Divide-by-zero in GPAC's MP4Box AVI demuxer crashes the process when handling crafted media files with zero-declared fra
Heap-based buffer overflow in GPAC MP4Box (all versions prior to fix commit 61bbfd2e89553373ba3449b8ec05b5f098d732a5) al
NULL pointer dereference in GPAC's MP4Box fragmentation pipeline allows unauthenticated remote attackers to crash the ap
NULL pointer dereference in GPAC's MP4Box crashes the application when importing a crafted MP4 file containing corrupted
Heap use-after-free in GPAC MP4Box's MPEG-4 LASeR/SVG processing path crashes the tool when parsing a crafted MP4 file w
Share
External POC / Exploit Code
Leaving vuln.today