CVE-2025-60471 GPAC CVE debrief

Who should care

Organizations using GPAC Project/MP4Box before 26.02.0 should be aware of this vulnerability and take steps to mitigate it. This vulnerability can be exploited to cause a Denial of Service (DoS), which can have significant impacts on system availability. Security teams and administrators responsible for media processing systems should prioritize patching and monitoring.

Technical summary

The vulnerability is a use-after-free in the gf_filter_pid_reconfigure_task_discard function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0. This allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The weakness associated with this vulnerability is CWE-416.

Defensive priority

This vulnerability has a MEDIUM severity and a CVSS score of 5.5. Organizations should prioritize patching and monitoring to mitigate the risk of exploitation.

Recommended defensive actions

• Apply the patch from https://github.com/gpac/gpac/commit/868c6801c226e9964cace54cfd5a759f152780b4
• Monitor for suspicious media file processing activity
• Restrict access to media file processing systems
• Implement additional security controls to detect and prevent exploitation
• Review and update incident response plans to address potential DoS attacks

Evidence notes

The CVE-2025-60471 vulnerability was published on 2026-06-24T19:17:07.920Z and last modified on 2026-06-29T23:14:24.983Z. The vulnerability affects GPAC Project/MP4Box versions before 26.02.0. The CVSS score is 5.5 and the severity is MEDIUM. The weakness associated with this vulnerability is CWE-416.

Official resources