Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-60473

CVE-2025-60473: GPAC MP4Box DoS Vulnerability

CVE-2025-60473 is a NULL pointer dereference flaw in GPAC MP4Box that allows attackers to trigger denial of service through crafted files. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2025-60473 Overview

CVE-2025-60473 is a NULL pointer dereference vulnerability in the gf_filter_in_parent_chain function within src/filter_core/filter_pid.c of GPAC, the multimedia framework that powers the MP4Box utility. Versions prior to 26.02.0 fail to validate that a filter PID instance contains a valid pid member before dereferencing it during parent chain traversal. Attackers can trigger a crash by supplying a crafted media file to MP4Box, resulting in a Denial of Service (DoS) condition affecting media processing workflows.

Critical Impact

Processing a malicious file with a vulnerable MP4Box build aborts the process, disrupting automated transcoding pipelines, content delivery systems, and forensic analysis tools that rely on GPAC.

Affected Products

  • GPAC Project / MP4Box versions before 26.02.0
  • Applications and pipelines embedding the GPAC libgpac filter core
  • Media processing services that ingest untrusted files using GPAC

Discovery Timeline

  • 2026-06-25 - CVE-2025-60473 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2025-60473

Vulnerability Analysis

The vulnerability resides in GPAC's filter graph traversal logic. The gf_filter_in_parent_chain function walks the input PIDs of a parent filter to determine connection relationships. Each iteration retrieves a GF_FilterPidInst structure from the parent's input_pids list and immediately accesses pidi->pid->filter without verifying that pidi->pid is non-NULL. When a crafted input file causes the filter graph to enter a transient state where a PID instance is detached or not yet bound, the dereference reads from a NULL address and crashes the process. The bug is classified as a NULL Pointer Dereference DoS condition.

Root Cause

The root cause is missing input validation on a pointer field of a structure retrieved from a dynamic list. GPAC trusts that every GF_FilterPidInst entry stored in parent->input_pids has a fully initialized pid field, which is not invariant during graph reconfiguration triggered by malformed media inputs.

Attack Vector

Exploitation requires an attacker to deliver a crafted file to a user or service that processes it with a vulnerable MP4Box build. No authentication or network access to the host is required when the file is supplied through normal media ingestion. The result is a process crash, not code execution. A public proof-of-concept file is available in the researcher's GitHub PoC Repository.

c
// Patch from src/filter_core/filter_pid.c - adds NULL check before dereference
 	}
 	for (i=0; i<parent->num_input_pids; i++) {
 		GF_FilterPidInst *pidi = gf_list_get(parent->input_pids, i);
-		if (gf_filter_in_parent_chain(pidi->pid->filter, filter)) {
+		if (pidi->pid && gf_filter_in_parent_chain(pidi->pid->filter, filter)) {
 			gf_mx_v(parent->tasks_mx);
 			return GF_TRUE;
 		}
// Source: https://github.com/gpac/gpac/commit/b8d80b44718de10b101e1d7fc17c84d69feb092e

The patch introduces a short-circuit pidi->pid && check that prevents the recursive call when the PID pointer is NULL, eliminating the crash condition.

Detection Methods for CVE-2025-60473

Indicators of Compromise

  • Unexpected MP4Box or gpac process termination with SIGSEGV shortly after ingesting a new media file
  • Core dumps showing a faulting address near 0x0 inside gf_filter_in_parent_chain or filter_pid.c
  • Repeated failures of automated transcoding jobs tied to specific user-supplied input files

Detection Strategies

  • Inventory all hosts and container images running MP4Box or linking libgpac, and compare versions against 26.02.0
  • Inspect application logs from media pipelines for abnormal exit codes from GPAC worker processes
  • Hash known PoC artifacts referenced in the GitHub PoC Documentation and alert on matches at file ingestion boundaries

Monitoring Recommendations

  • Monitor crash telemetry from media processing services and route segmentation faults to the SOC for triage
  • Track GitHub Issue #3285 and the upstream commit feed for related filter graph fixes
  • Alert on outbound process restarts that correlate with newly uploaded user content in customer-facing media platforms

How to Mitigate CVE-2025-60473

Immediate Actions Required

  • Upgrade GPAC and MP4Box to version 26.02.0 or later on all systems
  • Rebuild any internal tools or containers that statically link or vendor libgpac against the patched source
  • Restrict MP4Box execution to sandboxed users or containers with resource limits and automatic restart policies

Patch Information

The fix is committed upstream as b8d80b4 in the GPAC repository. Review the GitHub Commit Update for the exact source change, which adds a NULL guard on pidi->pid before traversal. Distribution maintainers should backport this single-line change to packaged GPAC builds older than 26.02.0.

Workarounds

  • Do not process untrusted media files with vulnerable MP4Box builds until the upgrade is applied
  • Run MP4Box under a process supervisor that isolates crashes and prevents pipeline stalls
  • Validate container formats with a stricter pre-parser before handing files to GPAC for full processing
bash
# Verify installed GPAC version and upgrade where needed
MP4Box -version 2>&1 | head -n 1

# Build patched GPAC from source (Linux)
git clone https://github.com/gpac/gpac.git
cd gpac
git checkout v2.6.0  # or the tag matching 26.02.0 or later
./configure && make -j"$(nproc)" && sudo make install

# Confirm the fix is present in the installed binary
strings "$(command -v MP4Box)" | grep -i 'gpac' | head -n 5

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.