CVE-2025-60477 Overview
CVE-2025-60477 is a NULL pointer dereference vulnerability in GPAC, an open-source multimedia framework that includes the MP4Box utility. The flaw exists in the gf_filter_pid_resolve_file_template_ex function located in /filter_core/filter_pid.c. Versions of GPAC/MP4Box prior to 26.02.0 are affected. An attacker can trigger the condition by supplying a crafted media file to the utility, causing the process to crash. The vulnerability is tracked under [CWE-476: NULL Pointer Dereference].
Critical Impact
A crafted input file processed by MP4Box causes a NULL pointer dereference, resulting in process termination and denial of service for local multimedia processing workflows.
Affected Products
- GPAC Project — versions prior to 26.02.0
- MP4Box utility — versions prior to 26.02.0
- The gf_filter_pid_resolve_file_template_ex function in /filter_core/filter_pid.c
Discovery Timeline
- 2026-06-03 - CVE-2025-60477 published to the National Vulnerability Database (NVD)
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2025-60477
Vulnerability Analysis
The vulnerability resides in gf_filter_pid_resolve_file_template_ex, a routine that resolves file output templates for GPAC's filter pipeline. When the function processes a crafted file, an internal pointer remains uninitialized or unchecked before dereference. The dereference then occurs on a NULL address, crashing the MP4Box process. Because the affected code runs in the context of the local user invoking the tool, exploitation requires user interaction and local access. The result is a denial of service against the GPAC processing workflow rather than code execution or data disclosure.
Root Cause
The root cause is missing validation of a pointer returned or referenced inside gf_filter_pid_resolve_file_template_ex in /filter_core/filter_pid.c. The function assumes a non-NULL value during template resolution. A malformed input file drives the code path into a state where this assumption no longer holds, producing the dereference. The upstream commit 13eb5b76560aaf7813b865a2ad433258478e2695 adds the necessary check.
Attack Vector
An attacker must convince a local user to process a malicious file with a vulnerable MP4Box build. Delivery channels include email attachments, file shares, automated media conversion pipelines, and batch scripts. The vulnerability does not provide code execution, but repeated crashes can disrupt media processing services that ingest untrusted input. Public discussion and proof-of-concept material are available in the GPAC Issue Discussion and the Proof-of-Concept README.
Detection Methods for CVE-2025-60477
Indicators of Compromise
- Unexpected MP4Box process crashes or segmentation faults recorded in system logs or core dump directories.
- Presence of untrusted media files in directories monitored by automated GPAC conversion pipelines.
- Repeated invocation failures of GPAC filter graphs referencing file template resolution.
Detection Strategies
- Inventory GPAC and MP4Box binaries across endpoints and servers, flagging any version earlier than 26.02.0.
- Monitor for SIGSEGV exit codes from MP4Box processes, especially when invoked against externally sourced media.
- Correlate crash events with the file path of the input argument to identify potentially malicious samples.
Monitoring Recommendations
- Enable core dump collection on hosts running GPAC to capture stack traces referencing gf_filter_pid_resolve_file_template_ex.
- Log all invocations of MP4Box in automated media pipelines, including command-line arguments and exit codes.
- Alert on processing failures that recur for the same input file, which indicates a deterministic crash trigger.
How to Mitigate CVE-2025-60477
Immediate Actions Required
- Upgrade GPAC and MP4Box to version 26.02.0 or later on all affected systems.
- Restrict MP4Box execution to trusted input sources until patching completes.
- Audit automated media processing pipelines for exposure to user-submitted files.
Patch Information
The fix is committed upstream in the GPAC repository. Apply the change introduced in GPAC Commit 13eb5b7 or upgrade to a release containing this commit (26.02.0 and later). Build from source or obtain updated packages from your distribution maintainer. Additional context is available in the GPAC Issue 3301.
Workarounds
- Run MP4Box inside a sandboxed or containerized environment so a crash does not affect the host service.
- Validate or pre-filter media files using a separate parser before passing them to MP4Box.
- Disable or gate any web-facing service that exposes MP4Box to anonymous file uploads until the patch is deployed.
# Verify the installed MP4Box version and upgrade if older than 26.02.0
MP4Box -version
# Build the patched version from source
git clone https://github.com/gpac/gpac.git
cd gpac
git checkout 13eb5b76560aaf7813b865a2ad433258478e2695
./configure && make && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
