Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-60474

CVE-2025-60474: GPAC MP4Box Buffer Overflow DoS Vulnerability

CVE-2025-60474 is a buffer overflow vulnerability in GPAC MP4Box that enables attackers to trigger a Denial of Service. This article covers the technical details, affected versions, security impact, and mitigation steps.

Published:

CVE-2025-60474 Overview

CVE-2025-60474 is a stack-based buffer overflow [CWE-121] in the gf_media_import function located in /media_tools/av_parsers.c of GPAC Project MP4Box. The flaw affects versions before 26.02.0 and allows remote attackers to trigger a Denial of Service (DoS) by supplying a crafted media input file. GPAC is a widely used open-source multimedia framework, and MP4Box is its command-line packaging and analysis tool. Exploitation requires no authentication or user interaction beyond processing the malicious file, making any automated media pipeline that parses untrusted input a viable target.

Critical Impact

A remote attacker can crash the MP4Box process by supplying a crafted media file, disrupting media processing pipelines and any service that ingests untrusted media content.

Affected Products

  • GPAC Project MP4Box versions before 26.02.0
  • GPAC multimedia framework (gf_media_import code path)
  • Applications and pipelines embedding the vulnerable GPAC library

Discovery Timeline

  • 2026-06-24 - CVE-2025-60474 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2025-60474

Vulnerability Analysis

The vulnerability resides in the gf_media_import function within GPAC's media import logic. When processing a track's language property, the code reads three bytes from a string property without verifying its length. A crafted input supplying a language string shorter than three characters causes an out-of-bounds read on the stack-resident buffer, leading to a buffer overflow condition classified as [CWE-121].

Processing the malformed input drives the MP4Box process into an unrecoverable state, terminating execution. Services that automate MP4Box invocations against attacker-supplied files inherit the DoS condition. The flaw does not affect confidentiality or integrity, but it impairs availability of any system that parses untrusted media through GPAC.

Root Cause

The root cause is missing length validation on the GF_PROP_PID_LANGUAGE property string before constructing a four-character code with the GF_4CC macro. The original code accessed p->value.string[0], [1], and [2] without confirming the string contained three or more bytes. Any shorter string, including an empty or single-character value, results in reading beyond the allocated buffer.

Attack Vector

The attack vector is network-reachable through any service that ingests media files using GPAC or MP4Box. An attacker crafts an input file that exposes a language property of insufficient length and submits it to the parser. No authentication or user interaction is required, and exploitation yields a process crash that disrupts downstream media processing.

c
// Source: https://github.com/gpac/gpac/commit/bd7fd6be546e0cd9e599c6b262c338c5f2ecec5c
// Patch in src/media_tools/media_import.c - Fixed #3287
			p = gf_filter_pid_get_property(pid, GF_PROP_PID_CODECID);
			tki->codecid = p ? p->value.uint : GF_CODECID_NONE;
			p = gf_filter_pid_get_property(pid, GF_PROP_PID_LANGUAGE);
-			if (p && p->value.string) tki->lang = GF_4CC(p->value.string[0], p->value.string[1], p->value.string[2], ' ');
+			if (p && p->value.string && (strlen(p->value.string)>=3))
+				tki->lang = GF_4CC(p->value.string[0], p->value.string[1], p->value.string[2], ' ');
			p = gf_filter_pid_get_property(pid, GF_PROP_PID_ID);
			tki->track_num = p ? p->value.uint : 1;
			p = gf_filter_pid_get_property(pid, GF_PROP_PID_ESID);

The patch adds a strlen(p->value.string)>=3 check before dereferencing the first three characters, preventing the out-of-bounds access.

Detection Methods for CVE-2025-60474

Indicators of Compromise

  • Unexpected MP4Box or GPAC process crashes or core dumps when parsing externally supplied media files
  • Repeated segmentation faults or SIGSEGV signals tied to the gf_media_import call path
  • Anomalous spikes in failed media transcoding jobs originating from untrusted upload sources

Detection Strategies

  • Inventory hosts running GPAC or MP4Box binaries and compare installed versions against the fixed release 26.02.0
  • Inspect media processing logs for crash events correlated with newly uploaded or third-party media files
  • Apply file integrity monitoring to flag malformed media samples submitted to ingestion endpoints

Monitoring Recommendations

  • Enable core dump collection on media servers to capture stack traces referencing gf_media_import
  • Alert on abnormal process termination rates for MP4Box and any service linking libgpac
  • Correlate ingestion telemetry with downstream processing failures to surface targeted DoS attempts

How to Mitigate CVE-2025-60474

Immediate Actions Required

  • Upgrade GPAC and MP4Box to version 26.02.0 or later on every system that processes untrusted media
  • Rebuild and redeploy any application statically linking libgpac against the patched source tree
  • Restrict MP4Box invocations to validated input sources until patching is verified across the fleet

Patch Information

The fix is committed upstream in GPAC commit bd7fd6b, which resolves GitHub issue #3287. A reproduction case is available in the public PoC repository and documented in the associated README. Apply the patch by upgrading to GPAC 26.02.0 or building from a commit that includes the language length check.

Workarounds

  • Validate media files with a separate parser to confirm well-formed language metadata before invoking MP4Box
  • Sandbox MP4Box execution with resource limits and automatic restart to contain DoS impact
  • Reject uploaded media that fails schema validation on the language field at the application boundary
bash
# Verify the installed GPAC/MP4Box version and upgrade if vulnerable
MP4Box -version 2>&1 | head -n 2

# Build the fixed version from source
git clone https://github.com/gpac/gpac.git
cd gpac
git checkout v2.6.0  # or any tag at or after the patched commit bd7fd6b
./configure && make -j$(nproc)
sudo make install

# Sandbox MP4Box during media ingestion to contain crashes
systemd-run --scope -p MemoryMax=512M -p CPUQuota=50% \
    MP4Box -info /path/to/untrusted/input.mp4

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.