CVE-2025-55648

Vulnerability

A heap buffer overflow exists in the gf_opus_parse_packet_header function in media_tools/av_parsers.c of GPAC MP4Box prior to commit 61bbfd2e89553373ba3449b8ec05b5f098d732a5. The vulnerability occurs when the MP4Box utility is used to dump or process a crafted MP4 file containing corrupted sample-size (stsz) data for an Opus audio track. The function does not sufficiently validate the input buffer length before parsing the Opus packet header, leading to a heap-buffer-overflow READ of size 1 at line 11297 [1]. Affected versions include GPAC MP4Box v2.4 and earlier versions without the fix.

Exploitation

An attacker must provide a specially crafted MP4 file to a target user or service that invokes MP4Box to process the file. No authentication or special privileges are required; the attack vector is network-based (AV:N) and requires user interaction (UI:R) such as opening the malicious file or having an application automatically process it. The exploitation sequence involves delivering the crafted MP4 with a corrupted stsz sample-size table for an Opus track, triggering the buffer over-read when gf_opus_parse_packet_header is called [1].

Impact

Successful exploitation results in a denial of service (DoS) due to a heap-buffer-overflow, which can cause the application to crash. The integrity and availability of the system are affected (C:L, I:L, A:L per CVSS v3.1 [1]). Information disclosure may also be possible due to the out-of-bounds read, but the primary impact is application termination.

Mitigation

The fix is implemented in commit 61bbfd2e89553373ba3449b8ec05b5f098d732a5. Users should update GPAC/MP4Box to a version that includes this commit or later. No workaround is mentioned in the available references. If unable to update, avoid processing untrusted MP4 files with MP4Box. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) at the time of writing.