CVE-2025-60483 GPAC Project CVE debrief

Who should care

Organizations using GPAC/MP4Box for media processing, content delivery networks handling AC4 audio content, multimedia application developers, and security teams monitoring for parser vulnerabilities in audio processing pipelines

Technical summary

The vulnerability is a NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function located in /media_tools/av_parsers.c within the GPAC multimedia framework. When MP4Box or libgpac processes a malformed AC4 (Dolby AC-4) audio file, the function dereferences a NULL pointer, causing a crash and resulting in Denial of Service. The issue affects GPAC versions before 26.02.0. The fix was committed to the GPAC repository, addressing the insufficient pointer validation during AC4 presentation parsing.

Defensive priority

medium

Recommended defensive actions

• Upgrade GPAC Project/MP4Box to version 26.02.0 or later to obtain the patched code
• Restrict processing of untrusted AC4 audio files until patching is complete
• Monitor for anomalous crashes in MP4Box or applications using libgpac when handling AC4 content
• Review application logs for unexpected terminations during AC4 media parsing
• Validate AC4 file inputs through sandboxed or isolated processing environments where feasible

Evidence notes

The CVE description identifies the vulnerable function and file path. The commit reference (ref-4) provides the fix. The GitHub issue (ref-5) and proof-of-concept repository (ref-6) confirm researcher disclosure. The social media post (ref-7) indicates public notification timing.

Official resources