CVE-2025-60483 Overview
CVE-2025-60483 is a NULL pointer dereference vulnerability [CWE-476] in the GPAC Project's MP4Box multimedia framework. The flaw resides in the gf_ac4_pres_b_4_back_channels_present function located in /media_tools/av_parsers.c. Attackers can trigger the vulnerability by supplying a crafted AC4 audio file, causing the application to crash and resulting in a Denial of Service (DoS) condition. The issue affects GPAC versions prior to 26.02.0.
Critical Impact
Local attackers can crash MP4Box by providing a malicious AC4 file, disrupting media processing workflows and automated transcoding pipelines that rely on GPAC.
Affected Products
- GPAC Project MP4Box versions before 26.02.0
- Applications and pipelines bundling GPAC libgpac for AC4 audio parsing
- Automated media transcoding services using vulnerable GPAC builds
Discovery Timeline
- 2026-06-01 - CVE-2025-60483 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2025-60483
Vulnerability Analysis
The vulnerability exists in GPAC's AC4 audio bitstream parser. When MP4Box processes a malformed AC4 file, the gf_ac4_pres_b_4_back_channels_present function dereferences a pointer that was never validated against NULL. The resulting access violation terminates the process immediately.
The issue is reachable through standard MP4Box command-line operations such as muxing, demuxing, or inspecting AC4 streams. Because GPAC is integrated into many media processing toolchains, the impact extends beyond interactive use to batch services that ingest untrusted media. Exploitation requires user interaction to load the crafted file but no authentication or special privileges.
Root Cause
The root cause is missing validation of intermediate pointer values prior to dereference inside the AC4 presentation parsing logic. Related fuzzing fixes in the same upstream commit show identical patterns elsewhere in the codebase, where string and buffer pointers were accessed without first checking that they were non-NULL and had non-zero length.
Attack Vector
An attacker crafts an AC4 file with structural fields that drive the parser into a code path where an internal pointer remains unset. When gf_ac4_pres_b_4_back_channels_present reads from that pointer, the process crashes. Delivery typically requires convincing a user or automated service to process the file through MP4Box or a libgpac-linked application.
The upstream commit 13eb5b7 addresses related AC4 and fuzzing defects by adding explicit pointer and length checks before dereference:
prop_val = gf_filter_pid_get_property_first(pid, GF_PROP_PID_FILEALIAS);
if (!prop_val) prop_val = gf_filter_pid_get_property_first(pid, GF_PROP_PID_FILEPATH);
//if filepath is a gmem:// wrapped, don't use it !
- if (prop_val && !strncmp(prop_val->value.string, "gmem://", 7))
+ if (prop_val && prop_val->value.string && !strncmp(prop_val->value.string, "gmem://", 7))
prop_val = NULL;
if (!prop_val)
Source: GPAC commit 13eb5b7
A second hunk from the same commit hardens the text loader path with explicit checks against txt_samp->text and txt_samp->len:
ctx->seek_state = 0;
}
- if (!ctx->pid_framed && (ctx->stxtmod <=STXT_MODE_SBTT)) {
+ if (!ctx->pid_framed && (ctx->stxtmod <=STXT_MODE_SBTT) && txt_samp->text && txt_samp->len) {
dst_pck = gf_filter_pck_new_alloc(ctx->opid, txt_samp->len, &pck_data);
if (!dst_pck) return;
memcpy(pck_data, txt_samp->text, txt_samp->len);
Source: GPAC commit 13eb5b7
Detection Methods for CVE-2025-60483
Indicators of Compromise
- Repeated MP4Box process crashes with segmentation faults when processing AC4 audio files
- Core dumps referencing gf_ac4_pres_b_4_back_channels_present or av_parsers.c in the call stack
- AC4 files of suspicious origin landing in shared transcoding or ingest directories
Detection Strategies
- Hunt for abnormal termination signals (SIGSEGV) from MP4Box, gpac, or applications linking libgpac
- Monitor media ingest pipelines for failure rates correlated with newly uploaded AC4 content
- Inventory installed GPAC versions across build hosts and media servers, flagging any below 26.02.0
Monitoring Recommendations
- Forward process crash telemetry and core dump events from media-processing hosts to a centralized analytics platform
- Track command-line arguments invoking MP4Box against untrusted file paths
- Alert when GPAC binaries on production systems do not match the patched build hash
How to Mitigate CVE-2025-60483
Immediate Actions Required
- Upgrade GPAC and MP4Box to version 26.02.0 or later on every host that processes media
- Restrict MP4Box execution to trusted input directories and reject AC4 files from unauthenticated submitters
- Rebuild and redistribute any internal tooling that statically links libgpac against the patched release
Patch Information
The fix is included in GPAC 26.02.0 and tracked in upstream commit 13eb5b7. See the GPAC issue tracker discussion and the SigDevel PoC writeup for reproduction details. The advisory is also referenced on the Openwall oss-security list.
Workarounds
- Sandbox MP4Box execution using containers, seccomp, or firejail to contain crash impact
- Pre-filter incoming media to reject AC4 streams until the patched version is deployed
- Disable AC4 handling in media workflows that do not require it
# Verify installed GPAC version and upgrade from source
MP4Box -version
git clone https://github.com/gpac/gpac.git
cd gpac
git checkout v2.6.0 # or later containing commit 13eb5b7
./configure && make -j$(nproc) && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
