CVE-2025-60483

Source
https://cve.org/CVERecord?id=CVE-2025-60483
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60483.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-60483
Downstream
Published
2026-06-01T00:00:00Z
Modified
2026-07-09T19:35:01.700900Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A NULL pointer dereference in the gfac4presb4backchannelspresent function (/mediatools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/60xxx/CVE-2025-60483.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/gpac/gpac

Affected ranges

Type
GIT
Repo
https://github.com/gpac/gpac
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "MP4Box"
        },
        {
            "fixed": "26.02.0"
        }
    ]
}

Affected versions

Other
abi-12
abi-13
abi-14
abi-15
abi-16
abi-12.*
abi-12.16
abi-12.17
abi-12.18
abi-12.19
abi-12.20
abi-12.21
abi-12.22
abi-12.23
abi-12.24
abi-12.25
abi-12.26
abi-12.27
abi-13.*
abi-13.0
abi-14.*
abi-14.0
abi-15.*
abi-15.0
abi-15.1
abi-15.2
abi-16.*
abi-16.2
abi-16.3
abi-16.4
abi-16.5
testtag0.*
testtag0.1
v0.*
v0.5.2
v0.6.0
v0.9.0
v0.9.0-preview
v1.*
v1.0.0
v2.*
v2.0.0
v2.2.0

Database specific

vanir_signatures_modified
"2026-07-09T19:35:01Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60483.json"
vanir_signatures
[
    {
        "id": "CVE-2025-60483-0c927a09",
        "digest": {
            "function_hash": "119331427118805452260653977110323882068",
            "length": 1144.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
        "deprecated": false,
        "target": {
            "function": "txtin_process_send_text_sample",
            "file": "src/filters/load_text.c"
        }
    },
    {
        "id": "CVE-2025-60483-149d4899",
        "digest": {
            "function_hash": "229378594528598445528239402183340614774",
            "length": 1117.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
        "deprecated": false,
        "target": {
            "function": "gf_odf_ac4_cfg_clean_list",
            "file": "src/odf/descriptors.c"
        }
    },
    {
        "id": "CVE-2025-60483-16588809",
        "digest": {
            "function_hash": "184838686202623878916577001940544593865",
            "length": 8162.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
        "deprecated": false,
        "target": {
            "function": "gf_filter_pid_resolve_file_template_ex",
            "file": "src/filter_core/filter_pid.c"
        }
    },
    {
        "id": "CVE-2025-60483-2eebe9f9",
        "digest": {
            "line_hashes": [
                "263229855699910055907089839999455364739",
                "192113742765769321982905987820968519317",
                "265796515486067353279725015632590065927",
                "10900472474120666202727518599613208387"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
        "deprecated": false,
        "target": {
            "file": "src/filter_core/filter_pid.c"
        }
    },
    {
        "id": "CVE-2025-60483-3842f775",
        "digest": {
            "function_hash": "72329964463097325273241771529695068410",
            "length": 529.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
        "deprecated": false,
        "target": {
            "function": "gf_ac4_pres_top_channel_pairs",
            "file": "src/media_tools/av_parsers.c"
        }
    },
    {
        "id": "CVE-2025-60483-86516fde",
        "digest": {
            "line_hashes": [
                "274941447431428118303552763218508288485",
                "94529169039144367614443729912742324066",
                "233445931520024186195245170005028677098",
                "251308173171149139094601613017950448959"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
        "deprecated": false,
        "target": {
            "file": "src/filters/load_text.c"
        }
    },
    {
        "id": "CVE-2025-60483-c49e9fa3",
        "digest": {
            "function_hash": "12853528996648484221985318558537587175",
            "length": 383.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
        "deprecated": false,
        "target": {
            "function": "gf_ac4_pres_b_4_back_channels_present",
            "file": "src/media_tools/av_parsers.c"
        }
    },
    {
        "id": "CVE-2025-60483-c94f3045",
        "digest": {
            "function_hash": "167815779127432638081820870950817504914",
            "length": 604.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
        "deprecated": false,
        "target": {
            "function": "gf_ac4_oamd_common_data",
            "file": "src/media_tools/av_parsers.c"
        }
    },
    {
        "id": "CVE-2025-60483-d85dcab6",
        "digest": {
            "function_hash": "52043912534921305866336672133175427024",
            "length": 4148.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
        "deprecated": false,
        "target": {
            "function": "gf_odf_ac4_cfg_dsi_v1",
            "file": "src/odf/descriptors.c"
        }
    },
    {
        "id": "CVE-2025-60483-daf7e5ad",
        "digest": {
            "line_hashes": [
                "21881754412139333564879561943549396813",
                "187425246353187912494381215261152866660",
                "152131168274718466098767917775716842435",
                "46166691777284388558447332696030508480",
                "318100075712337754198511967558730808404",
                "302172459793984814086232159568483977511",
                "276164901311492659373966563863416415002",
                "315832589933922446446407648342029123575",
                "147353908516770057652343077764619110718",
                "299712238538084327212168653616355381101",
                "261268044783629405480604841356721107886",
                "57481430810754653389291400155288281680",
                "321675206653785456496182330702511978153",
                "274573090219790207878364981908708016017",
                "137094092846678770852079822596970685581",
                "39783544712492073382198650615105358454",
                "47828808561271817177125719610403089315"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
        "deprecated": false,
        "target": {
            "file": "src/odf/descriptors.c"
        }
    },
    {
        "id": "CVE-2025-60483-e82e87cc",
        "digest": {
            "line_hashes": [
                "269372615484095727664279138480992726371",
                "284662915484188318166549626663487275179",
                "131402185700019386913151730365332512031",
                "209385215032895354917277063366667043613",
                "19500034083579600205700187086289098294",
                "135040001861682879386930705441291951365",
                "181297475272340019449360578467135501194",
                "136487013873471022016688705030312090735",
                "19500034083579600205700187086289098294",
                "135040001861682879386930705441291951365",
                "181297475272340019449360578467135501194",
                "209751471631048242378424560661162680361"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
        "deprecated": false,
        "target": {
            "file": "src/media_tools/av_parsers.c"
        }
    }
]