CVE-2025-60473 GPAC CVE debrief

Who should care

GPAC Project users, developers, and maintainers should be aware of this vulnerability. Additionally, security teams and administrators responsible for systems that use GPAC Project MP4Box should prioritize patching this vulnerability to prevent potential Denial of Service (DoS) attacks.

Technical summary

The vulnerability is caused by a NULL pointer dereference in the gf_filter_in_parent_chain function located in the /filter_core/filter_pid.c file of GPAC Project MP4Box before 26.02.0. An attacker can exploit this vulnerability by supplying a crafted MP4 file, which can lead to a Denial of Service (DoS) condition. The vulnerability has a CVSS score of 5.5 and a severity of MEDIUM. The attack vector is Local, and the attack complexity is Low.

Defensive priority

Patching this vulnerability is of medium priority. Administrators should apply the patch as soon as possible to prevent potential Denial of Service (DoS) attacks.

Recommended defensive actions

• Apply the official patch: https://github.com/gpac/gpac/commit/b8d80b44718de10b101e1d7fc17c84d69feb092e
• Update GPAC Project MP4Box to version 26.02.0 or later
• Restrict access to MP4Box to trusted users and systems
• Monitor systems for unusual activity and potential DoS attacks
• Consider implementing compensating controls, such as network segmentation and traffic filtering

Evidence notes

The vulnerability was published on June 25, 2026, and last modified on June 29, 2026. The CVE record and NVD detail pages provide additional information about the vulnerability. The GPAC Project has released a patch for this vulnerability.

Official resources