CVE-2025-55651: GPAC MP4Box NULL Pointer Dereference DoS Vulnerability
CVE-2025-55651 is a denial-of-service vulnerability in GPAC's MP4Box v2.4 that crashes the application when processing a specially crafted MP4 file. The flaw stems from the software attempting to access memory without first checking whether a critical pointer is valid. An attacker can exploit this by distributing a malformed MP4 file; if a user opens it with the vulnerable version, the application will crash. This is a local attack requiring user interaction—someone must open the malicious file—but no special privileges are needed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
A NULL pointer dereference in the gf_isom_get_user_data_count function (isomedia/isom_read.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the gf_isom_get_user_data_count function within isomedia/isom_read.c of GPAC MP4Box v2.4. It is a NULL pointer dereference (CWE-476) that occurs during parsing of MP4 file structures. When the function processes a crafted MP4 file with malicious user data entries, it fails to validate a pointer before dereferencing it, causing an unhandled exception. The attack vector is local and requires minimal privileges, with the only user interaction needed being the opening of the malicious file. The CVSS 3.1 score of 5.5 (MEDIUM severity) reflects availability impact only—no confidentiality or integrity risk.
Business impact
Organizations relying on MP4Box or GPAC for media processing workflows face service disruption risk. Automated media ingest pipelines, transcoding farms, or file validation systems using this library could be halted by a single crafted file. If an attacker sends a malicious MP4 to a media processing service, legitimate work stops until the process is restarted. For security teams, this represents a potential vector for nuisance attacks or workflow sabotage rather than data theft or system compromise. The impact is limited to availability.
Affected systems
GPAC MP4Box version 2.4 is explicitly vulnerable. Organizations should identify all deployments where this version is used—including standalone tools, embedded libraries in media applications, or container-based workflows. GPAC is used across the media and streaming industry for MP4 manipulation and analysis. Check your software bill of materials (SBOM) for GPAC dependencies, especially in ingest, validation, or transcoding toolchains.
Exploitability
Exploitation is straightforward: an attacker crafts a malformed MP4 file with malicious user data structures and distributes it. When the target opens the file with MP4Box v2.4, the application crashes. The attack requires only that a user open the file—no advanced techniques, credentials, or network access needed. However, exploitation is limited to the local system where the file is opened. The barrier to entry is low, but impact is confined to denial of service on that single instance. No evidence of public exploitation (KEV status is false) is currently tracked.
Remediation
Update GPAC to a patched version that addresses the NULL pointer dereference in gf_isom_get_user_data_count. Verify the specific patch version against the GPAC project's advisory or release notes. Until patching is complete, minimize exposure by restricting which users or systems can process untrusted MP4 files, implementing file validation pre-ingestion where possible, and monitoring for unexpected application crashes in media processing pipelines.
Patch guidance
Consult the GPAC project repository and official security advisories for the patched version addressing CVE-2025-55651. Apply updates first to non-production environments to verify compatibility with your media workflows. If GPAC is embedded in third-party applications (video players, transcoding services, etc.), check those vendors' advisory pages for their own patched releases. Test that legitimate MP4 files continue to process correctly after patching.
Detection guidance
Monitor application logs and crash dumps for segmentation faults or access violations in MP4Box or GPAC processes, particularly in isomedia/isom_read.c. Alert on unexpected termination of media processing jobs. If possible, use sandboxed or containerized environments for untrusted file processing to limit blast radius. Implement file format validation before passing MP4s to GPAC—malformed files triggering crashes may indicate attack attempts. Rate-based anomalies in application crashes could signal an attacker testing malicious files.
Why prioritize this
This vulnerability merits medium priority based on CVSS 5.5 but context-dependent urgency. If your organization's media pipelines are internet-facing or process user-supplied files, prioritize patching to prevent workflow disruption. If GPAC is used only internally on controlled files, the risk is lower but still warrants scheduling. Absence from KEV catalogs suggests no active exploitation in the wild, but the low barrier to weaponization means that could change.
Risk score, explained
CVSS 3.1 score of 5.5 (MEDIUM) reflects: Attack Vector Local (requires file to be opened locally), Access Complexity Low (no special conditions), Privileges Required None, User Interaction Required (user must open file), and Availability Impact High (crash/DoS). The score is not elevated to HIGH because there is no confidentiality or integrity risk—the impact is limited to availability, and the attack requires local access and user action. Organizations processing untrusted media files should consider this higher in their queue than the base score alone suggests.
Frequently asked questions
Can this vulnerability be exploited remotely or over a network?
No. The vulnerability requires local access to the MP4 file. However, an attacker can distribute the malicious MP4 file via email, web download, or file-sharing services; the user's action in opening it triggers the crash. The attack itself is not over the network, but social engineering to deliver the file can be.
What versions of GPAC are affected?
GPAC MP4Box v2.4 is confirmed vulnerable. Earlier and later versions should be verified against GPAC's official advisory. If you have deployed GPAC as an embedded library, check your vendor's advisory for affected versions of their product.
If we only open trusted MP4 files internally, do we need to patch immediately?
Immediate patching is less critical in that scenario, but you should still schedule it. The risk is lower if all files come from known, trusted sources and no external input is processed. However, patching should be planned to avoid future exposure if practices change or files are accidentally sourced from untrusted locations.
Are there workarounds if we cannot patch quickly?
Workarounds include restricting GPAC processing to sandboxed or isolated environments, implementing pre-processing validation of MP4 files (using alternative tools not affected by CWE-476), and monitoring for unexpected crashes. These mitigate risk but do not eliminate it—patching is the definitive fix.
This analysis is provided for informational purposes. SEC.co does not guarantee the completeness or accuracy of third-party vulnerability data. Patch versions, compatibility, and update timelines should be verified directly with GPAC's official advisories and your vendor documentation. This page does not constitute security advice; consult your organization's security team for deployment-specific risk assessment and patching decisions. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-55659MEDIUMGPAC MP4Box NULL Pointer Denial of Service
- CVE-2025-55657HIGHGPAC MP4Box NULL Pointer Dereference Denial of Service
- CVE-2025-60477MEDIUMMP4Box NULL Pointer Dereference Denial of Service
- CVE-2025-60481MEDIUMGPAC MP4Box NULL Pointer DoS Vulnerability (v26.02.0 Patch)
- CVE-2025-60483MEDIUMMP4Box AC4 Parser NULL Pointer DoS Vulnerability
- CVE-2025-60485MEDIUMMP4Box Segmentation Fault DoS Vulnerability (GPAC < 26.02.0)
- CVE-2025-60495MEDIUMMP4Box Segmentation Fault DoS Vulnerability – Patching Guide
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference