CVE-2025-60477
NULL Pointer Dereference in GPAC MP4Box
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | mp4box | 2.5-dev-rev1617-g856674b22-master |
| gpac | gpac | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-60477 is a vulnerability in the GPAC project's MP4Box component, specifically in the function gf_filter_pid_resolve_file_template_ex located in filter_core/filter_pid.c. The issue is a NULL pointer dereference that occurs when the function processes files containing specially crafted metadata with excessive special characters. This causes the function to attempt a strncmp() operation on an uninitialized NULL pointer, leading to a segmentation fault and crashing the application.
An attacker can exploit this vulnerability by supplying a crafted file that triggers this NULL pointer dereference, causing the program to crash.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information about CVE-2025-60477 does not include any details regarding its impact on compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by a null pointer dereference in the GPAC project's gf_filter_pid_resolve_file_template_ex function, which can be triggered by processing specially crafted files.
Immediate mitigation steps include avoiding the use of untrusted or specially crafted files with the affected versions of GPAC/MP4Box to prevent triggering the denial of service.
Since no CVSS or official patch details are provided in the context, and no direct mitigation instructions are available, the best immediate action is to restrict or monitor file inputs and update GPAC to a version that includes null pointer checks once available.
How can this vulnerability impact me? :
This vulnerability can cause a Denial of Service (DoS) by crashing the GPAC MP4Box application when it processes a maliciously crafted file. The crash results from a segmentation fault due to a NULL pointer dereference.
Such a crash can disrupt media processing workflows, potentially causing service interruptions or application instability in environments relying on GPAC for media handling.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by attempting to trigger the null-pointer dereference in the GPAC MP4Box application using a specially crafted file that causes a segmentation fault.
A known command to reproduce the crash is: ./MP4Box -dash 100 48_gf_filter_pid_resolve_file_template_ex_filter_core_filter_pid_c_9045
Running this command with the crafted file causes the program to crash with an AddressSanitizer error indicating a segmentation violation due to a read memory access on a NULL pointer.