CVE-2025-60485 GPAC Project CVE debrief

Who should care

Organizations using GPAC Project/MP4Box for MP4 media processing, including media encoding pipelines, content delivery networks, and multimedia analysis tools, should prioritize patching to prevent service disruption from malicious file uploads or processing.

Technical summary

The vulnerability is a segmentation violation in the gf_isom_apple_set_tag_ex function located in /isomedia/isom_write.c of the GPAC multimedia framework, specifically affecting the MP4Box tool. An attacker can trigger a Denial of Service by providing a maliciously crafted MP4 file that causes an invalid memory access during tag processing. The issue was resolved in GPAC version 26.02.0 through a code commit that addresses the underlying memory safety defect.

Defensive priority

medium

Recommended defensive actions

• Upgrade GPAC Project/MP4Box to version 26.02.0 or later to remediate this vulnerability.
• Validate and sanitize MP4 file inputs before processing with MP4Box in environments where immediate patching is not feasible.
• Monitor for anomalous MP4 processing failures that may indicate exploitation attempts.
• Review application logs for unexpected crashes in media processing pipelines using GPAC/MP4Box.

Evidence notes

The CVE description identifies a segmentation violation in gf_isom_apple_set_tag_ex in /isomedia/isom_write.c of GPAC Project/MP4Box before 26.02.0, triggered by a crafted MP4 file. The fix commit and issue tracker reference confirm vendor acknowledgment and remediation.

Official resources