CVE-2025-60477
Deferred Deferred - Pending Action
NULL Pointer Dereference in GPAC MP4Box

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: MITRE

Description
A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2025-60477
EUVD
EUVD-2025-210053
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gpac mp4box 2.5-dev-rev1617-g856674b22-master
gpac gpac *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-60477 is a vulnerability in the GPAC project's MP4Box component, specifically in the function gf_filter_pid_resolve_file_template_ex located in filter_core/filter_pid.c. The issue is a NULL pointer dereference that occurs when the function processes files containing specially crafted metadata with excessive special characters. This causes the function to attempt a strncmp() operation on an uninitialized NULL pointer, leading to a segmentation fault and crashing the application.

An attacker can exploit this vulnerability by supplying a crafted file that triggers this NULL pointer dereference, causing the program to crash.

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) by crashing the GPAC MP4Box application when it processes a maliciously crafted file. The crash results from a segmentation fault due to a NULL pointer dereference.

Such a crash can disrupt media processing workflows, potentially causing service interruptions or application instability in environments relying on GPAC for media handling.

Detection Guidance

The vulnerability can be detected by attempting to trigger the null-pointer dereference in the GPAC MP4Box application using a specially crafted file that causes a segmentation fault.

A known command to reproduce the crash is: ./MP4Box -dash 100 48_gf_filter_pid_resolve_file_template_ex_filter_core_filter_pid_c_9045

Running this command with the crafted file causes the program to crash with an AddressSanitizer error indicating a segmentation violation due to a read memory access on a NULL pointer.

Compliance Impact

The provided information about CVE-2025-60477 does not include any details regarding its impact on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The vulnerability is caused by a null pointer dereference in the GPAC project's gf_filter_pid_resolve_file_template_ex function, which can be triggered by processing specially crafted files.

Immediate mitigation steps include avoiding the use of untrusted or specially crafted files with the affected versions of GPAC/MP4Box to prevent triggering the denial of service.

Since no CVSS or official patch details are provided in the context, and no direct mitigation instructions are available, the best immediate action is to restrict or monitor file inputs and update GPAC to a version that includes null pointer checks once available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60477. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart