MEDIUM 6.5

CVE-2025-55659: GPAC MP4Box NULL Pointer Denial of Service

GPAC MP4Box version 2.4 contains a flaw that causes the application to crash when processing a specially crafted MP4 media file. An attacker can exploit this by distributing a malicious MP4 file that, when opened by a user, triggers a denial of service condition. The vulnerability does not compromise data confidentiality or integrity—it simply stops the application from functioning until it is restarted.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

A NULL pointer dereference in the ctts_box_write function (isomedia/box_code_base.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-55659 is a NULL pointer dereference vulnerability in the ctts_box_write function located in isomedia/box_code_base.c within GPAC MP4Box v2.4. The ctts_box_write function handles the composition-to-decode time-to-sample box during MP4 file processing. When a crafted MP4 file is supplied, the function attempts to dereference a NULL pointer, triggering an unhandled exception. The flaw is classified under CWE-476 (NULL Pointer Dereference), a common memory safety issue that occurs when code fails to validate pointer validity before use.

Business impact

Organizations relying on GPAC MP4Box for automated video transcoding, media ingest pipelines, or broadcast workflows may experience service interruptions if users or systems process attacker-controlled MP4 files. Repeated exploitation could disrupt media processing operations, delay content delivery, or require manual intervention to restart crashed services. The absence of data breach or corruption risk limits financial impact to availability loss and operational overhead.

Affected systems

GPAC MP4Box v2.4 is the confirmed affected version. Organizations using this software for media processing, video encoding, content distribution preparation, or broadcast infrastructure should prioritize inventory and testing. Verify your deployed version against GPAC's official release history and advisory documentation.

Exploitability

Exploitation requires user or system interaction: either a user must open a malicious MP4 file in an application using GPAC MP4Box, or an automated media processing pipeline must ingest untrusted content. Network accessibility is present (the file can be distributed remotely), no special privileges are required, and the attack complexity is low. However, the reliance on user action (UI:R in the CVSS vector) prevents this from being remotely exploitable in fire-and-forget scenarios. The threat is moderate for environments accepting user-uploaded media or processing feeds from untrusted sources.

Remediation

Update GPAC MP4Box to a version containing the NULL pointer dereference fix. Verify the specific patched version against GPAC's official security advisory and release notes. If an immediate patch is unavailable, implement controls to restrict processing of MP4 files from untrusted sources, or isolate media processing infrastructure to reduce user-facing impact.

Patch guidance

Consult GPAC's official advisory and GitHub repository for the patched version that resolves CVE-2025-55659. Verify the fix is present in your target release before deployment. Test the patched version against your existing media ingest workflows to ensure compatibility with downstream encoding or transcoding processes. Once validated, deploy to all systems running MP4Box v2.4 in your environment.

Detection guidance

Monitor application crash logs and core dumps for segmentation faults or NULL pointer exceptions in GPAC-related processes, particularly within ctts_box_write or isomedia box-handling functions. Implement file validation rules to reject or sandbox MP4 files with abnormal or suspicious composition-to-decode time box structures. Network-based detection is limited; focus on endpoint and log analysis. Threat hunting should focus on media ingest systems and user-facing media processing services.

Why prioritize this

Although rated MEDIUM severity (CVSS 6.5), this vulnerability warrants timely attention because it affects automated media processing infrastructure and can disrupt business-critical workflows. Organizations operating broadcast or content delivery services should prioritize patching; those using GPAC in non-critical or isolated environments may schedule updates in the next maintenance cycle. The requirement for user interaction limits critical impact but does not eliminate operational risk.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects a vulnerability with high availability impact (A:H) accessible over the network (AV:N) without authentication or privilege escalation, but requiring user interaction (UI:R) to trigger. The attack vector and lack of complexity elevate the score into the MEDIUM range; the user interaction requirement prevents a higher severity rating. No confidentiality or integrity impact is present.

Frequently asked questions

Does this vulnerability allow remote code execution or data theft?

No. CVE-2025-55659 causes only a denial of service via application crash. It does not enable code execution, privilege escalation, or unauthorized data access. The impact is limited to availability disruption.

What types of organizations are most at risk?

Media and broadcast organizations, content distribution networks, video hosting platforms, and any service that automatically processes user-uploaded or third-party MP4 files are at elevated risk. Organizations with closed, internal-only media workflows face lower risk.

Can this be exploited without user action?

The CVSS vector indicates user interaction is required (UI:R). Practical exploitation typically requires a user to open a malicious MP4 file or an automated pipeline to ingest untrusted media. It is not a wormable or self-propagating vulnerability.

What should I do if I cannot patch immediately?

Implement access controls to restrict MP4 file sources to trusted parties only. Isolate media processing systems from critical infrastructure. Monitor crash logs for signs of exploitation. Plan patching for the next maintenance window and test the fix against your media workflows before production deployment.

This analysis is provided for informational purposes to support security decision-making. The information is derived from the published CVE record and CVSS vector; additional details should be verified against GPAC's official advisory and vendor documentation. No exploit code or weaponized proof-of-concept is included. Organizations should test any patches in non-production environments before broad deployment. This page does not constitute professional security advice and should be reviewed by your organization's security team in context of your specific infrastructure and risk profile. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).