CVE-2025-60486 GPAC CVE debrief

Who should care

Organizations using GPAC/MP4Box for media processing, particularly those handling untrusted MPEG-2 content in automated pipelines or user-facing conversion services.

Technical summary

The vulnerability is a heap use-after-free located in the `dasher_process` function of `/filters/dasher.c` in GPAC Project/MP4Box. Versions prior to 26.02.0 are affected. An attacker can cause a Denial of Service by supplying a crafted MPEG-2 file that triggers the memory safety flaw during processing. The fix is available in the GPAC repository.

Defensive priority

medium

Recommended defensive actions

• Upgrade GPAC/MP4Box to version 26.02.0 or later, which contains the remediation commit.
• Restrict processing of untrusted MPEG-2 media files through MP4Box until patching is complete.
• Monitor for anomalous crashes or memory corruption indicators in MP4Box/dasher processing pipelines.
• Review and validate vendor attribution for this CVE, as current vendor confidence is low and marked for review.

Evidence notes

The CVE description identifies the affected function (`dasher_process` in `/filters/dasher.c`) and the affected versions (before 26.02.0). The NVD source item references a GitHub commit (`e6d01820d7bf3967d931fedb379ee5f209bc133b`) that appears to contain the fix, a GitHub issue (`3314`) documenting the report, and a proof-of-concept README from the reporter. The vendor field indicates low confidence and requires review, as the canonical vendor attribution is derived from reference domain inference rather than explicit CPE or vendor statement.

Official resources