CVE-2025-60485 Overview
CVE-2025-60485 is a segmentation violation in the gf_isom_apple_set_tag_ex function located in /isomedia/isom_write.c of the GPAC Project's MP4Box utility. The flaw affects GPAC versions before 26.02.0 and is classified as a null pointer dereference [CWE-476]. An attacker can trigger the crash by supplying a crafted MP4 file, causing MP4Box to terminate abnormally and resulting in a denial of service (DoS) condition.
Critical Impact
Local attackers can crash MP4Box by enticing a user to process a malicious MP4 file, disrupting media processing workflows that rely on the GPAC toolchain.
Affected Products
- GPAC Project MP4Box versions prior to 26.02.0
- Applications and pipelines bundling vulnerable GPAC libraries for MP4 parsing
- Media processing services that invoke MP4Box on untrusted input
Discovery Timeline
- 2026-06-01 - CVE-2025-60485 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2025-60485
Vulnerability Analysis
The defect resides in gf_isom_apple_set_tag_ex, a routine in GPAC's ISO Base Media File Format writer that handles Apple-style metadata tags. When parsing a malformed MP4 file, the function dereferences a pointer that was never initialized or had already been freed, producing a segmentation fault. The crash terminates MP4Box and any process embedding the affected GPAC code path.
Because the attack vector is local and requires user interaction, exploitation typically involves convincing a user, build pipeline, or automated media converter to process a hostile .mp4 container. The vulnerability does not expose memory contents or allow code execution, but it reliably halts availability of the affected component.
Root Cause
The root cause is a missing null check inside gf_isom_apple_set_tag_ex before pointer dereference. The upstream fix in commit 4860a1a6f128ccc9ae37b4b738d22029f9672457 introduces guard conditions and adds proper memory cleanup in adjacent code paths (src/filters/dasher.c and src/filters/isoffin_load.c). The patch closes related issues #3323 and #3325.
Attack Vector
An attacker crafts an MP4 file containing manipulated Apple metadata atoms that drive gf_isom_apple_set_tag_ex down an unguarded code path. The victim opens or transcodes the file with MP4Box (or an application linking GPAC), triggering the segmentation violation.
// Source: https://github.com/gpac/gpac/commit/4860a1a6f128ccc9ae37b4b738d22029f9672457
// Patch in src/filters/dasher.c - adds null check on `s` before use
//append to previous entry if possible
s = gf_list_last(tl->entries);
- if (prev_patch_dur) {
+ if (s && prev_patch_dur) {
u32 nb_ent = gf_list_count(tl->entries);
//split entry
if (s->repeat_count) {
// Source: https://github.com/gpac/gpac/commit/4860a1a6f128ccc9ae37b4b738d22029f9672457
// Patch in src/filters/isoffin_load.c - frees `dyname` to prevent stale references
}
break;
}
+
+ if (dyname)
+ gf_free(dyname);
}
if (gf_sys_old_arch_compat()) {
Detection Methods for CVE-2025-60485
Indicators of Compromise
- Unexpected MP4Box process termination with SIGSEGV signals in system or container logs
- Core dumps referencing gf_isom_apple_set_tag_ex or isom_write.c in stack traces
- Repeated failures when processing MP4 files received from untrusted sources
Detection Strategies
- Inventory hosts and containers running GPAC and verify the installed version against 26.02.0 or later
- Monitor for crashes of MP4Box and linked binaries in media processing services, build agents, and content pipelines
- Inspect MP4 inputs with file integrity tooling to flag atypical Apple metadata atoms before they reach GPAC
Monitoring Recommendations
- Forward process termination and crash telemetry from media processing hosts to a centralized analytics platform
- Alert on abnormal exit codes from automated transcoding jobs that invoke MP4Box
- Track ingestion of MP4 files from external or untrusted submitters and correlate with subsequent process failures
How to Mitigate CVE-2025-60485
Immediate Actions Required
- Upgrade GPAC and MP4Box to version 26.02.0 or later on all systems
- Restrict MP4Box execution to processing pipelines that handle vetted, trusted media content
- Sandbox MP4Box invocations so that a crash does not impact host services or pipelines
Patch Information
The issue is resolved in GPAC 26.02.0. The fix is applied in upstream commit GPAC commit 4860a1a6, which addresses GitHub Issue #3323. Additional context is available in the OpenWall OSS-Security disclosure and the public PoC repository.
Workarounds
- Avoid processing untrusted MP4 files with vulnerable MP4Box versions until patched
- Run MP4Box inside isolated containers with restart policies and resource limits to contain crash impact
- Pre-validate MP4 inputs with structural checks before invoking GPAC tooling
# Verify installed GPAC version and upgrade if below 26.02.0
MP4Box -version
# Build from patched source
git clone https://github.com/gpac/gpac.git
cd gpac
git checkout v26.02.0
./configure && make && sudo make install
# Run MP4Box in an isolated container with restricted resources
docker run --rm --read-only --memory=512m --pids-limit=64 \
-v "$PWD":/work -w /work gpac/gpac:26.02.0 \
MP4Box -info input.mp4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
