CVE-2025-8537
BaseFortify
Publication date: 2025-08-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| axiosys | bento4 | to 1.6.0-641 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Bento4 library's mp4decrypt tool occurs when it processes a specially crafted malformed MP4 file containing an "sgpd" atom with an excessively large declared size (0xFFFFFFFC). This large size is passed unchecked to the function AP4_DataBuffer::SetDataSize(), which attempts to allocate about 4 GB of memory. The allocation fails, throwing an unhandled std::bad_alloc exception that causes the program to terminate immediately (denial of service). Essentially, the vulnerability allows an attacker to crash the mp4decrypt process by supplying a malformed MP4 file that triggers excessive memory allocation attempts. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial-of-service (DoS) condition in applications using the affected Bento4 mp4decrypt component. An attacker can remotely supply a specially crafted MP4 file that triggers excessive memory allocation, causing the application to crash unexpectedly. This disrupts system availability and may affect any service or process relying on this library for MP4 file processing. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the mp4decrypt tool from the Bento4 library with a specially crafted malformed MP4 file containing an "sgpd" atom with an excessively large declared size (0xFFFFFFFC). Running mp4decrypt on such a file will cause the process to terminate with an error message like "terminate called after throwing an instance of 'std::bad_alloc'". To detect it, you can use the provided proof-of-concept malformed MP4 file and run a command such as: mp4decrypt malformed_file.mp4 output_file. If the tool crashes with the described error, the vulnerability is present. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of affected versions of the Bento4 library (up to 1.6.0-641) and the mp4decrypt tool until a fixed version is available. Since no known countermeasures or patches currently exist, it is recommended to consider replacing the affected product or restricting access to the mp4decrypt tool to trusted inputs only to prevent processing of maliciously crafted MP4 files. [2]