CVE-2025-60495 Overview
CVE-2025-60495 is a null pointer dereference vulnerability [CWE-476] in the gf_media_get_color_info function located in /media_tools/isom_tools.c of the GPAC Project's MP4Box utility. Versions prior to 26.02.0 are affected. An attacker can trigger a segmentation violation by supplying a crafted media data file, causing the process to terminate and resulting in a Denial of Service (DoS) condition. The flaw requires local user interaction, such as opening or processing a malicious file through MP4Box. While the issue does not affect confidentiality or integrity, it disrupts availability of any workflow that relies on GPAC for media processing.
Critical Impact
Crafted media files processed by MP4Box cause gf_media_get_color_info to dereference a null pointer, terminating the process and disrupting media processing pipelines.
Affected Products
- GPAC Project MP4Box versions prior to 26.02.0
- GPAC multimedia framework components depending on isom_tools.c
- Applications and pipelines embedding vulnerable GPAC libraries for media parsing
Discovery Timeline
- 2026-06-01 - CVE-2025-60495 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2025-60495
Vulnerability Analysis
The defect resides in the gf_media_get_color_info routine within /media_tools/isom_tools.c. When MP4Box parses a crafted input file, the function reaches a code path where an expected structure pointer has not been initialized or populated. Subsequent access to a member through that pointer triggers a segmentation fault. The vulnerability is categorized as a null pointer dereference [CWE-476] and manifests as a Denial of Service rather than a memory corruption exploitable for code execution. Because GPAC and MP4Box are widely used for media transcoding, packaging, and DASH/HLS generation, the impact extends to automated pipelines that ingest untrusted media. An EPSS probability of 0.012% reflects the low likelihood of broad exploitation, but the issue remains relevant to environments processing user-submitted files.
Root Cause
The root cause is missing validation of a pointer or structure field returned during color information parsing inside gf_media_get_color_info. When the crafted file omits or malforms the expected box, the function proceeds without confirming the pointer is non-null. The upstream fix in commit 9beed3c0a2f38505c745e5376234e7ed66e8e0b1 adds the necessary validation. Refer to the GitHub Commit Update and the GitHub Issue Discussion for the upstream analysis.
Attack Vector
The attack vector is local and requires user interaction. An attacker delivers a malicious media file to a target who then processes it with MP4Box or any GPAC-based tool calling the affected function. Successful triggering produces a segmentation violation and process termination. Proof-of-concept details are documented in the GitHub PoC Documentation and the Openwall OSS Security Email.
No verified exploit code is reproduced here. See the referenced advisories for technical reproduction steps.
Detection Methods for CVE-2025-60495
Indicators of Compromise
- Repeated segmentation faults or crash dumps generated by MP4Box or processes linking GPAC libraries.
- Unexpected termination of media processing jobs immediately after ingesting an externally sourced file.
- Core dumps showing the crashing frame inside gf_media_get_color_info in isom_tools.c.
Detection Strategies
- Monitor application logs and system journals for SIGSEGV events tied to MP4Box or GPAC-linked binaries.
- Inventory installations of GPAC and flag any version earlier than 26.02.0 as vulnerable.
- Inspect ingested media files in sandboxed environments to identify malformed color information boxes before production processing.
Monitoring Recommendations
- Forward crash telemetry from media processing hosts to a centralized logging or SIEM platform for correlation.
- Track file submission sources and correlate crash events with the originating uploads or users.
- Alert on abnormal restart loops in media transcoding services that may indicate repeated exploitation attempts.
How to Mitigate CVE-2025-60495
Immediate Actions Required
- Upgrade GPAC and MP4Box to version 26.02.0 or later, which contains the upstream fix.
- Restrict execution of MP4Box to trusted inputs until patching is complete.
- Audit automated pipelines for unsupervised invocation of GPAC against untrusted user-supplied media.
Patch Information
The fix is committed upstream in 9beed3c0a2f38505c745e5376234e7ed66e8e0b1. Rebuild GPAC from sources at or after this commit, or install a distribution package that incorporates version 26.02.0 or newer. See the GitHub Commit Update for the patch contents.
Workarounds
- Process untrusted media files inside isolated containers or sandboxes that contain crashes without affecting host services.
- Add input validation or file-type screening upstream of MP4Box to reject malformed or unexpected media structures.
- Configure service supervisors to rate-limit restarts so that repeated crashes do not propagate into broader service disruption.
# Verify installed MP4Box version and upgrade if below 26.02.0
MP4Box -version
# Example upgrade from source
git clone https://github.com/gpac/gpac.git
cd gpac
git checkout v2.6.0
./configure && make && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
