CVE-2025-60477: MP4Box NULL Pointer Dereference Denial of Service
CVE-2025-60477 is a crash vulnerability in GPAC's MP4Box multimedia processing tool. A specially crafted file can trigger a program crash when processed by a local or authenticated user, disrupting media encoding and processing workflows. The vulnerability does not leak data or enable privilege escalation, but it can be weaponized to interrupt legitimate operations or degrade service availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.0 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
A NULL pointer dereference exists in the gf_filter_pid_resolve_file_template_ex function within GPAC's filter_pid.c component. When MP4Box processes a maliciously crafted media file, the function fails to validate a pointer before dereferencing it, causing an immediate null pointer exception. The vulnerability requires local file system access and user interaction to trigger, as an authenticated user must invoke MP4Box with the hostile file. Versions prior to 26.02.0 are affected.
Business impact
Organizations relying on automated or manual MP4Box workflows for video transcoding, format conversion, or media processing face service disruption. A threat actor with file upload privileges could repeatedly crash processing pipelines, creating a denial-of-service condition. Media production environments, content delivery networks, and broadcast automation systems are at risk if they integrate MP4Box without input validation or sandboxing. The impact is availability-focused: no data exfiltration or system compromise occurs, but productivity losses accumulate if reprocessing queues are blocked.
Affected systems
GPAC Project's MP4Box tool in versions before 26.02.0 is vulnerable. The flaw is in the core filter framework, so any deployment using gf_filter_pid_resolve_file_template_ex is exposed. End users running MP4Box on Linux, macOS, or Windows systems for multimedia workflows are affected. Systems that expose MP4Box as a service to untrusted file sources (e.g., web upload forms) face elevated risk. No other GPAC utilities or third-party products are directly implicated by this CVE.
Exploitability
Exploitability is moderate in opportunistic scenarios but low in well-defended environments. An attacker must either upload a crafted file to a system running MP4Box or convince an authenticated user to open one. The attack requires no special privileges beyond basic file system access and user-level execution. Automation pipelines that process user-supplied media without validation present the easiest attack surface. However, the vulnerability cannot be exploited remotely, does not require user code execution, and does not grant escalated privileges—limiting its strategic value compared to remote code execution flaws.
Remediation
Upgrade GPAC/MP4Box to version 26.02.0 or later. Patch availability can be verified through the GPAC project's official repository or release notes. Until patching is complete, implement compensating controls: validate and sanitize input files before processing, run MP4Box in isolated containers or virtual environments, restrict file upload permissions, and monitor for unexpected process crashes in media pipelines. Organizations should prioritize patching in development and testing environments first to confirm workflow compatibility.
Patch guidance
Check the GPAC Project's official GitHub repository and release notes for version 26.02.0 availability and installation instructions for your operating system. The project maintains builds for Windows, macOS, and Linux. Verify against the vendor advisory that the patch addresses CVE-2025-60477 specifically. Test patches in a staging environment with representative media files to ensure no regression in encoding or transcoding quality. Deploy via your standard software update process or package manager if MP4Box is installed that way.
Detection guidance
Monitor logs for unexpected crashes or segmentation faults in MP4Box processes, particularly those correlating with specific input files. Watch for repeated process restarts or service unavailability in media processing pipelines. Endpoint detection and response (EDR) tools can flag abnormal process termination patterns. File integrity monitoring on media libraries may reveal unusual file characteristics preceding crashes. Log aggregation systems should alert on error codes or stack traces mentioning gf_filter_pid_resolve_file_template_ex or NULL pointer exceptions. In containerized environments, track container restart events linked to MP4Box operations.
Why prioritize this
This vulnerability merits medium priority in most environments because it enables denial of service without data breach or privilege escalation. However, organizations operating media processing infrastructure—particularly those accepting untrusted uploads—should prioritize it higher. The low CVSS score (5.0) reflects the limited impact scope, but operational cost of downtime may justify faster patching in mission-critical contexts. The requirement for local access and user interaction naturally limits blast radius compared to network-exploitable flaws.
Risk score, explained
The CVSS 3.1 score of 5.0 (MEDIUM) reflects a flaw with local attack vector, low complexity, and low privilege requirement, but high availability impact and no confidentiality or integrity loss. The score appropriately captures that this is a localized denial-of-service vector with no direct path to data compromise or system takeover. Risk may be elevated internally based on organizational dependency on MP4Box uptime and the frequency of untrusted file processing.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2025-60477 requires local file system access and authenticated user-level execution. An attacker cannot exploit it over a network directly. However, if MP4Box is exposed as a web service or processes files from internet sources without validation, remote file uploads could be weaponized to trigger the crash.
Does this vulnerability lead to data theft or system compromise?
No. The NULL pointer dereference causes only a denial of service—the process crashes but does not leak sensitive data, enable privilege escalation, or provide code execution. The flaw is confined to availability disruption.
What is the recommended timeline for patching?
Organizations should plan to upgrade within 2–4 weeks of patch availability, with priority given to systems processing untrusted or user-supplied media files. Critical media production environments may justify faster deployment; lower-risk development systems can follow standard update cycles.
Can input validation or sandboxing mitigate this flaw before patching?
Yes, partially. Sandboxing MP4Box in containers, virtual machines, or restricted user environments limits blast radius and prevents cascading failures. Validating media file headers and checksums before processing can catch some malformed inputs, but a determined attacker may still craft valid-looking files that trigger the flaw. Patching remains the definitive remediation.
This analysis is provided for informational purposes and reflects the vulnerability details and CVSS assessment as of the publication date. Organizations should verify patch availability and compatibility with vendor advisories before deployment. SEC.co does not warrant the accuracy or completeness of third-party patch or detection tools referenced. Use of this guidance is at the organization's discretion and does not constitute professional security advice. Always conduct your own risk assessment in the context of your environment and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-60481MEDIUMGPAC MP4Box NULL Pointer DoS Vulnerability (v26.02.0 Patch)
- CVE-2025-60483MEDIUMMP4Box AC4 Parser NULL Pointer DoS Vulnerability
- CVE-2025-60485MEDIUMMP4Box Segmentation Fault DoS Vulnerability (GPAC < 26.02.0)
- CVE-2025-60495MEDIUMMP4Box Segmentation Fault DoS Vulnerability – Patching Guide
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-28581MEDIUMAndroid Emergency Call Logic Error Vulnerability
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)