By vendor

Gpac vulnerabilities

Known CVEs affecting Gpac products, prioritized by severity, with SEC.co remediation and detection guidance.

6 published vulnerabilities

  • CVE-2025-52292HIGH 7.5

    GPAC MP4Box version 2.4 contains a stack buffer overflow vulnerability in its file input handling code. An attacker can exploit this by submitting a specially crafted MP4 file, causing the application to crash or become unresponsive. This is a denial-of-service issue with no data theft or system compromise risk, but it can disrupt services that depend on MP4Box for media processing.

  • CVE-2025-52293HIGH 7.5

    CVE-2025-52293 is a crash vulnerability in GPAC MP4Box v2.4 that occurs when the HEVC video parser encounters malformed video stream headers. An attacker can craft a specially designed HEVC Sequence Parameter Set (SPS) and deliver it to a system running MP4Box to trigger a segmentation fault, causing the application to crash and become unavailable. This is a network-exploitable denial-of-service issue that requires no user interaction or special privileges to trigger.

  • CVE-2025-55657HIGH 7.5

    GPAC MP4Box version 2.4 contains a defect that causes the application to crash when processing a specially crafted MP4 file. An attacker can exploit this by sending a malicious MP4 to any system running the vulnerable software, resulting in service unavailability. No data theft or system compromise occurs—the impact is limited to denial of service.

  • CVE-2025-55658MEDIUM 6.5

    GPAC MP4Box version 2.4 contains a bug in how it processes Opus audio codec headers within MP4 files. When processing a specially crafted MP4 file, the application crashes due to a floating point exception—essentially a mathematical error in code that causes the program to terminate. An attacker can exploit this by distributing a malicious MP4 file, causing MP4Box to crash whenever a user or automated system tries to process it. This is a denial-of-service vulnerability that affects availability but does not compromise data confidentiality or integrity.

  • CVE-2025-55659MEDIUM 6.5

    GPAC MP4Box version 2.4 contains a flaw that causes the application to crash when processing a specially crafted MP4 media file. An attacker can exploit this by distributing a malicious MP4 file that, when opened by a user, triggers a denial of service condition. The vulnerability does not compromise data confidentiality or integrity—it simply stops the application from functioning until it is restarted.

  • CVE-2025-55651MEDIUM 5.5

    CVE-2025-55651 is a denial-of-service vulnerability in GPAC's MP4Box v2.4 that crashes the application when processing a specially crafted MP4 file. The flaw stems from the software attempting to access memory without first checking whether a critical pointer is valid. An attacker can exploit this by distributing a malformed MP4 file; if a user opens it with the vulnerable version, the application will crash. This is a local attack requiring user interaction—someone must open the malicious file—but no special privileges are needed.