CVE-2025-55660
Undergoing Analysis Undergoing Analysis - In Progress

Stack Overflow in GPAC MP4Box via MP4 File

Vulnerability report for CVE-2025-55660, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description

A stack overflow in the gf_opus_read_length function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-07-06
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gpac mp4box 2.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a stack overflow in the gf_opus_read_length function located in the media_tools/av_parsers.c file of GPAC MP4Box version 2.4. It occurs when the software processes a specially crafted MP4 file.

A stack overflow happens when more data is written to a buffer located on the stack than it can hold, potentially overwriting adjacent memory. In this case, it allows attackers to cause a Denial of Service (DoS) condition.

Impact Analysis

The primary impact of this vulnerability is that an attacker can cause a Denial of Service (DoS) by supplying a crafted MP4 file to GPAC MP4Box v2.4.

This means the application may crash or become unresponsive, disrupting normal operations and potentially affecting availability.

Compliance Impact

The vulnerability described is a stack overflow in GPAC MP4Box that allows a Denial of Service (DoS) attack. It does not involve unauthorized access to data, data leakage, or modification of information.

Since the vulnerability results in availability impact only (DoS) and has no confidentiality or integrity impact, it is less likely to directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

However, if the DoS condition disrupts critical services or systems that handle regulated data, it could indirectly impact compliance by causing service unavailability.

Detection Guidance

This vulnerability can be detected by analyzing MP4 files processed by GPAC MP4Box, specifically looking for crafted MP4 files containing malformed, non-self-delimited Opus packets with invalid odd packet lengths.

A practical detection method involves running MP4Box on suspect MP4 files and monitoring for crashes or AddressSanitizer reports indicating stack-buffer-overflow writes in the gf_opus_read_length function.

While no specific commands are provided, a suggested approach is to use MP4Box to dump or parse MP4 files and observe for abnormal termination or errors.

Mitigation Strategies

Immediate mitigation involves avoiding processing untrusted or crafted MP4 files with vulnerable versions of GPAC MP4Box.

Applying the fix commit identified as ff8249a407685d00ceb5f4d2a798b9cad195140e or upgrading to a patched version of GPAC MP4Box is recommended.

Additionally, restricting user interaction with untrusted MP4 files and monitoring for abnormal application behavior can help reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55660. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart