CVE-2025-55664 GPAC CVE debrief

Who should care

Organizations using GPAC MP4Box v2.4 for media file processing, particularly those handling untrusted MP4 inputs in automated workflows or user-facing applications. This includes media processing pipelines, content delivery networks, and multimedia analysis tools that rely on MP4Box for demuxing or inspection operations.

Technical summary

The vulnerability is a heap buffer overflow located in the m2tsdmx_send_packet function in filters/dmx_m2ts.c of GPAC MP4Box version 2.4. Attackers can exploit this by providing a maliciously crafted MP4 file, resulting in a Denial of Service. The issue has been fixed in the GPAC repository via commit 9bd6a72c9efc0513dfd33b87498afc7658dabd26.

Defensive priority

medium

Recommended defensive actions

• Upgrade GPAC MP4Box to a version that includes the fix commit (9bd6a72c9efc0513dfd33b87498afc7658dabd26) or later.
• Restrict processing of untrusted MP4 files from unknown or unverified sources.
• Monitor for updates from the GPAC project regarding patched releases.
• If upgrading is not immediately feasible, consider sandboxing or isolating MP4Box processing environments to limit impact from potential crashes.

Evidence notes

The CVE description identifies the affected function (m2tsdmx_send_packet) and file (filters/dmx_m2ts.c) in GPAC MP4Box v2.4. A commit reference is available that appears to contain a fix. An issue report is also referenced. The vendor field indicates low confidence with 'Unknown Vendor' and requires review; however, the source references clearly identify GPAC as the affected project.

Official resources