CVE-2025-60486 Overview
CVE-2025-60486 is a heap use-after-free vulnerability in the dasher_process function located in /filters/dasher.c of the GPAC Project's MP4Box utility. The flaw affects MP4Box versions before 26.02.0 and is tracked under CWE-416. An attacker who convinces a user to process a crafted MPEG-2 file can trigger memory corruption that terminates the application. Exploitation requires local file access and user interaction, but no privileges. The reported impact is denial of service rather than code execution or data disclosure.
Critical Impact
A crafted MPEG-2 file processed by MP4Box causes a heap use-after-free in dasher_process, terminating the multimedia tool and disrupting media processing workflows.
Affected Products
- GPAC Project MP4Box versions prior to 26.02.0
- GPAC multimedia framework distributions bundling the dasher filter
- Downstream tools and pipelines that invoke MP4Box for DASH segmentation
Discovery Timeline
- 2026-06-01 - CVE-2025-60486 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2025-60486
Vulnerability Analysis
The vulnerability resides in dasher_process, the core processing function inside /filters/dasher.c. This component implements Dynamic Adaptive Streaming over HTTP (DASH) segmentation logic in GPAC. When MP4Box parses a malformed MPEG-2 input, the dasher filter accesses heap memory that has already been freed. The use-after-free condition produces undefined behavior and an application crash. The issue is categorized as CWE-416: Use After Free.
Root Cause
The defect stems from improper object lifetime management within the dasher filter pipeline. A heap allocation referenced during DASH segment processing is released while another code path still holds a pointer to it. Subsequent dereference of the stale pointer corrupts allocator metadata or triggers a segmentation fault. The upstream fix is tracked in GitHub commit e6d0182.
Attack Vector
Exploitation requires a local attacker to deliver a crafted MPEG-2 file and convince a user or automated process to open it with MP4Box. The attack vector is local and depends on user interaction. The impact is limited to availability, with no confidentiality or integrity loss reported. Public proof-of-concept materials are available in the sigdevel pocs repository and the GPAC issue tracker. The EPSS probability is 0.012%, indicating low predicted exploitation activity.
No verified exploit code is reproduced here. Refer to the linked GPAC issue and proof-of-concept README for technical reproduction details.
Detection Methods for CVE-2025-60486
Indicators of Compromise
- Unexpected MP4Box process termination or segmentation faults during DASH packaging of MPEG-2 sources
- Crash artifacts referencing dasher_process or /filters/dasher.c in core dumps and crash logs
- Anomalous MPEG-2 transport stream files arriving from untrusted sources before media conversion jobs
Detection Strategies
- Inventory hosts and build agents running GPAC or MP4Box and compare installed versions against 26.02.0
- Monitor media conversion services for repeated abnormal exits tied to the MP4Box binary
- Inspect ingest pipelines for MPEG-2 files that fail GPAC parsing with use-after-free signatures under AddressSanitizer builds
Monitoring Recommendations
- Enable process telemetry on media-processing servers to capture exit codes and crash reasons for MP4Box
- Forward application crash events and core dumps to a centralized logging or SIEM platform for correlation
- Alert on outbound or inbound transfers of MPEG-2 content that bypass content scanning controls
How to Mitigate CVE-2025-60486
Immediate Actions Required
- Upgrade GPAC and MP4Box to version 26.02.0 or later on all systems, including container images and CI runners
- Restrict MP4Box invocation to trusted MPEG-2 inputs and reject untrusted media at the perimeter
- Run MP4Box in sandboxed or unprivileged service accounts to contain crashes and limit collateral impact
Patch Information
The GPAC maintainers addressed the heap use-after-free in commit e6d01820d7bf3967d931fedb379ee5f209bc133b. The fix is included in MP4Box 26.02.0. Additional discussion appears in GPAC issue #3314 and the OSS-Security advisory.
Workarounds
- Avoid processing MPEG-2 files from untrusted or unverified sources with vulnerable MP4Box versions
- Isolate media transcoding workloads inside containers or virtual machines with automatic restart policies
- Apply file-type and content validation before passing media into the GPAC dasher pipeline
# Verify installed MP4Box version and upgrade from source
MP4Box -version
git clone https://github.com/gpac/gpac.git
cd gpac
git checkout v2.6.0 # or later release containing commit e6d01820
./configure --static-bin
make -j$(nproc)
sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
