CVE-2025-22919 Overview
CVE-2025-22919 is a reachable assertion vulnerability in FFmpeg git-master commit N-113007-g8d24a28d06. Attackers can trigger a Denial of Service (DoS) by supplying a crafted Advanced Audio Coding (AAC) file to a vulnerable FFmpeg build. The flaw is classified under [CWE-617: Reachable Assertion]. Exploitation requires user interaction because the victim must open or process the malicious media file. The issue affects FFmpeg's AAC demuxing path and causes the process to abort when the assertion fires.
Critical Impact
A single crafted AAC file can terminate FFmpeg-based media pipelines, disrupting streaming servers, transcoders, and any application embedding libavformat for AAC processing.
Affected Products
- FFmpeg git-master commit N-113007-g8d24a28d06
- Debian LTS distributions bundling the affected FFmpeg build
- Downstream applications linking libavformat and libavcodec for AAC handling
Discovery Timeline
- 2025-02-18 - CVE-2025-22919 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-22919
Vulnerability Analysis
The vulnerability resides in FFmpeg's AAC parsing logic within the affected git-master commit. When FFmpeg processes a crafted AAC file, internal state values violate an invariant enforced by an assert() call. The assertion triggers process termination through abort(), halting media processing. Because the assertion is reachable from attacker-controlled input, any service that ingests untrusted AAC streams becomes exposed to reliable crash conditions. The Exploit Prediction Scoring System (EPSS) probability recorded is 0.393%.
Root Cause
The root cause is an assertion designed to catch developer-side invariant violations that instead validates attacker-controlled field values from parsed AAC headers. Malformed metadata bypasses upstream validation and reaches the assertion path in the demuxer. Rather than returning a graceful error code, FFmpeg aborts the process. This behavior aligns with [CWE-617], where reachable assertions convert malformed input into denial-of-service conditions.
Attack Vector
An attacker crafts a malicious AAC file containing header fields that violate FFmpeg's internal parsing invariants. The attacker delivers the file through web upload, email attachment, streaming ingest, or any workflow that pipes untrusted media through FFmpeg. Once the victim application invokes FFmpeg on the file, the assertion fires and the process aborts. No authentication is required, and the attack works remotely when FFmpeg is exposed through a media-processing service.
The vulnerability manifests during AAC container parsing before any decoding of audio samples occurs. See FFmpeg Ticket #11385 for the reproducer and stack trace details.
Detection Methods for CVE-2025-22919
Indicators of Compromise
- Unexpected FFmpeg process termination with Assertion failed messages in stderr or systemd journal logs.
- Core dumps generated from ffmpeg, ffprobe, or applications linking libavformat shortly after AAC file ingestion.
- Repeated upload or ingestion of AAC files followed by transcoder worker restarts or queue backlogs.
Detection Strategies
- Inspect application logs for abort() signals (SIGABRT) originating from FFmpeg child processes.
- Correlate media ingestion events with process-exit telemetry to identify crash patterns tied to specific uploaders.
- Deploy file-type validation and AAC header sanity checks upstream of FFmpeg to flag anomalous inputs.
Monitoring Recommendations
- Track FFmpeg process exit codes and restart counts in transcoding fleets to surface DoS activity.
- Alert on repeated SIGABRT terminations from the same source IP or user account submitting media.
- Monitor Debian LTS security advisories via the Debian LTS Announcement for patched package versions.
How to Mitigate CVE-2025-22919
Immediate Actions Required
- Upgrade FFmpeg beyond commit N-113007-g8d24a28d06 to a version containing the fix for FFmpeg Ticket #11385.
- Apply Debian LTS security updates listed in the Debian LTS Announcement for affected packages.
- Isolate FFmpeg workers processing untrusted media into sandboxed containers with automatic restart policies.
Patch Information
Rebuild FFmpeg from a git-master revision that post-dates the fix committed against ticket #11385, or install the patched packages distributed by Debian LTS. Downstream vendors that embed libavformat must also refresh their bundled FFmpeg sources.
Workarounds
- Reject or quarantine AAC files from untrusted sources until the patched FFmpeg version is deployed.
- Run FFmpeg under a supervisor that automatically restarts crashed workers to preserve service availability.
- Enforce input validation on AAC headers before invoking FFmpeg to reduce exposure to malformed containers.
# Configuration example: verify installed FFmpeg version and restrict AAC ingest
ffmpeg -version | grep -i "N-113007" && echo "Vulnerable build detected - upgrade required"
# Debian/Ubuntu: apply security updates for FFmpeg
sudo apt-get update && sudo apt-get install --only-upgrade ffmpeg libavformat-dev libavcodec-dev
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

