CVE-2025-65404: Live555 Streaming Media DoS Vulnerability

CVE-2025-65404 Overview

CVE-2025-65404 is a buffer overflow vulnerability in the getSideInfo2() function of Live555 Streaming Media version 2018.09.02. Attackers can trigger the flaw by delivering a crafted MP3 stream to a vulnerable client or server using the library. Successful exploitation causes a Denial of Service (DoS) condition in the affected process. The vulnerability is classified under CWE-120 (Buffer Copy without Checking Size of Input). Live555 is widely embedded in RTSP/RTP streaming components, IP cameras, and media servers, broadening the exposure footprint.

Critical Impact

A remote attacker can crash any application linking the affected Live555 build by serving a malformed MP3 stream, disrupting media delivery and dependent services.

Affected Products

• Live555 Streaming Media version 2018.09.02
• Applications and devices embedding the affected Live555 RTSP/RTP stack
• IP cameras and media servers bundling the vulnerable library

Discovery Timeline

• 2025-12-01 - CVE-2025-65404 published to NVD
• 2025-12-23 - Last updated in NVD database

Technical Details for CVE-2025-65404

Vulnerability Analysis

The flaw resides in the getSideInfo2() routine, part of the MP3 parsing logic in Live555 Streaming Media. The function processes MP3 side information without validating that source data fits the destination buffer. A crafted MP3 stream supplies field values that drive a copy operation beyond the allocated buffer boundary. The resulting memory corruption terminates the consuming process, producing a Denial of Service.

Live555 is commonly used by RTSP servers and clients, including live555MediaServer, openRTSP, and embedded streaming stacks. Because the parser executes on incoming network media, the attack does not require authentication. User interaction is required: a victim must initiate a session against an attacker-controlled stream or accept content originating from an attacker. Confidentiality and integrity are not impacted, but availability of the streaming service is lost until the process restarts.

Root Cause

The root cause is missing bounds checking in getSideInfo2() when parsing MP3 side-information fields. The function trusts attacker-controlled length and offset values from the stream header and writes past the fixed-size buffer. This is a classic [CWE-120] unchecked buffer copy pattern in C/C++ media parsers.

Attack Vector

Exploitation is network-based. An attacker hosts a malicious MP3 stream and induces a victim client to connect via RTSP, or delivers the crafted payload through any pipeline that feeds Live555's MP3 demuxer. When getSideInfo2() parses the malformed frame, the overflow triggers and the process crashes. The attacker does not gain code execution based on the published impact, but repeated requests can keep the service offline.

No public proof-of-concept code is available in the verified references. Technical context can be reviewed in the GitHub Live555 Repository and the Shimo Resource Document.

Detection Methods for CVE-2025-65404

Indicators of Compromise

• Unexpected termination or repeated crashes of live555MediaServer, openRTSP, or applications linking Live555.
• Core dumps showing fault addresses inside the getSideInfo2() call path or adjacent MP3 parsing functions.
• Inbound RTSP/RTP sessions delivering MP3 streams from untrusted sources immediately preceding a service crash.

Detection Strategies

• Monitor process exit codes and segmentation faults on hosts running Live555-based services.
• Inspect RTSP traffic for sessions terminating abnormally after DESCRIBE/SETUP/PLAY exchanges involving audio/mpeg payloads.
• Correlate network captures of MP3 frames with crash timestamps to identify malformed side-information fields.

Monitoring Recommendations

• Alert on restart loops of streaming services and rapid availability drops on RTSP listeners (TCP 554, UDP RTP ports).
• Track outbound client connections from internal hosts to untrusted RTSP endpoints serving MP3 content.
• Log Live555 version banners exposed during RTSP OPTIONS responses to inventory vulnerable deployments.

How to Mitigate CVE-2025-65404

Immediate Actions Required

• Inventory all systems and embedded devices running Live555 Streaming Media 2018.09.02 or earlier.
• Restrict RTSP clients from connecting to untrusted streaming endpoints, especially those serving MP3 payloads.
• Isolate internet-exposed Live555 servers behind network ACLs limiting source addresses.

Patch Information

No vendor advisory or fixed-version reference is listed in the NVD record at publication time. Track upstream changes in the GitHub Live555 Repository and apply the latest available release once a fix addressing getSideInfo2() boundary handling is published. For embedded products bundling Live555, contact the device vendor for firmware updates.

Workarounds

• Disable MP3 stream handling in Live555-based applications where the codec is not required.
• Front Live555 services with a reverse proxy or media gateway that validates or transcodes incoming MP3 streams.
• Run vulnerable services under process supervisors with rate-limited restarts to reduce DoS impact while a patch is pending.

# Configuration example: restrict inbound RTSP to trusted sources using iptables
iptables -A INPUT -p tcp --dport 554 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 554 -j DROP
iptables -A INPUT -p udp --dport 5000:5100 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p udp --dport 5000:5100 -j DROP