CVE-2025-60474
Analyzed Analyzed - Analysis Complete

Buffer Overflow in GPAC MP4Box via Malicious Media File

Vulnerability report for CVE-2025-60474, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-29

Assigner: MITRE

Description

A buffer overflow in the gf_media_import function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-29
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac to 26.02.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability described is a buffer overflow in the GPAC MP4Box tool that can cause a Denial of Service (DoS) by crashing the application when processing crafted input. It does not involve unauthorized access to data, data leakage, or modification of sensitive information.

Since the vulnerability impacts availability but does not affect confidentiality or integrity of data, its direct impact on compliance with standards like GDPR or HIPAAβ€”which primarily focus on protecting personal data privacy and integrityβ€”is limited.

However, a Denial of Service could indirectly affect compliance if it disrupts critical services that handle regulated data, potentially violating availability requirements in those standards.

Executive Summary

This vulnerability is a buffer overflow in the gf_media_import function located in the /media_tools/av_parsers.c file of the GPAC Project's MP4Box software versions before 26.02.0. A buffer overflow occurs when more data is written to a buffer than it can hold, which can lead to unexpected behavior or crashes.

In this case, attackers can exploit this flaw by supplying specially crafted input to the vulnerable function, which triggers the buffer overflow.

Impact Analysis

The primary impact of this vulnerability is that it allows attackers to cause a Denial of Service (DoS) condition. This means the affected software could crash or become unresponsive when processing malicious input, potentially disrupting services or workflows that rely on MP4Box.

Detection Guidance

This vulnerability can be detected by attempting to process a malformed MPEG-2 TS file using the MP4Box tool with the -info command, which triggers the heap-buffer-overflow in the gf_media_import function.

A practical detection method is to run the following command on a crafted input file designed to exploit the vulnerability:

  • mp4box -info <crafted_mpeg2_ts_file>

If the tool crashes or exhibits abnormal behavior, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation involves updating the GPAC MP4Box tool to a version that includes the fix for this vulnerability.

The fix adds proper length checks in the gf_media_import function to prevent buffer overflows by verifying the length of the language string before accessing it.

Until an updated version is applied, avoid processing untrusted or malformed MPEG-2 TS files with MP4Box to reduce the risk of triggering the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60474. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart