CVE-2025-60485
Segmentation Violation in GPAC MP4Box via Crafted MP4 File
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | mp4box | to 26.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-60485 is a segmentation fault vulnerability in the GPAC project's MP4Box tool, specifically in the function gf_isom_apple_set_tag_ex located in the isomedia/isom_write.c file. This vulnerability occurs when MP4Box processes a crafted or corrupted MP4 file containing invalid or incomplete descriptors (such as corrupted "esds" boxes). The function does not properly validate pointers before accessing memory, leading to a null pointer dereference and causing the program to crash.
This crash results in a Denial of Service (DoS) condition, where the MP4Box tool becomes unusable or stops functioning correctly when handling such maliciously crafted MP4 files.
How can this vulnerability impact me? :
This vulnerability can impact users by causing a Denial of Service (DoS) when processing specially crafted MP4 files with the vulnerable version of MP4Box. An attacker can supply a malicious MP4 file that triggers a segmentation fault, crashing the application and potentially disrupting workflows or automated processes that rely on MP4Box for media file handling.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the crash using a crafted MP4 file that triggers the segmentation fault in the GPAC MP4Box tool. Specifically, the crash occurs when processing corrupted MP4 files containing invalid descriptors or incomplete box structures.
A known test file named `52_gf_isom_apple_set_tag_ex_isomedia_isom_write_c_6309` can be used to trigger the issue.
The following command was used to reproduce the crash on a Kali Linux system:
- ./MP4Box -splitf 30:60 52_gf_isom_apple_set_tag_ex_isomedia_isom_write_c_6309
Using AddressSanitizer or similar memory error detection tools can help identify the segmentation violation caused by null pointer dereference.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating GPAC MP4Box to a version that includes the fix for this vulnerability.
The fix includes adding null pointer checks in the vulnerable function to prevent crashes when processing crafted MP4 files.
If updating is not immediately possible, avoid processing untrusted or potentially corrupted MP4 files with GPAC MP4Box to reduce the risk of denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details on how the segmentation violation vulnerability in GPAC Project/MP4Box affects compliance with common standards and regulations such as GDPR or HIPAA.