CVE-2024-50665 – This vulnerability in gpac's MP4Box tool is a N... (How to Fix)

Q: What is the severity of CVE-2024-50665?

CVE-2024-50665 has a CVSS score of 5.5 (MEDIUM). This vulnerability in gpac's MP4Box tool is a NULL pointer dereference that causes a segmentation fault (SEGV) when processing specially crafted MP4 files with DRM encryption. It affects users who process untrusted media files with gpac 2.4. The crash could potentially be leveraged for denial of service or further exploitation.

📋 TL;DR

This vulnerability in gpac's MP4Box tool is a NULL pointer dereference that causes a segmentation fault (SEGV) when processing specially crafted MP4 files with DRM encryption. It affects users who process untrusted media files with gpac 2.4. The crash could potentially be leveraged for denial of service or further exploitation.

💻 Affected Systems

Products:

gpac
MP4Box

Versions: gpac 2.4

Operating Systems: Linux, Windows, macOS, All platforms where gpac runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects processing of MP4 files with DRM encryption (CENC). Standard MP4 files are not affected.

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution if the crash can be weaponized with memory corruption techniques, though this is unlikely given the CWE classification.

🟠

Likely Case

Denial of service through application crash when processing malicious MP4 files.

🟢

If Mitigated

Minimal impact if proper input validation and sandboxing are in place.

🌐 Internet-Facing: MEDIUM - MP4Box could be exposed through web services processing media uploads.

🏢 Internal Only: LOW - Typically used for media processing workflows rather than critical infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires feeding a malicious MP4 file to MP4Box. No authentication needed if file processing is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: gpac 2.5 or later

Vendor Advisory: https://github.com/gpac/gpac/issues/2987

Restart Required: No

Instructions:

1. Check current version with 'MP4Box -version'. 2. Update to gpac 2.5+ via package manager or compile from source. 3. Verify fix with 'MP4Box -version' showing 2.5+.

🔧 Temporary Workarounds

Disable DRM processing

all

Avoid processing MP4 files with DRM encryption if not required.

# Configure applications to reject CENC-encrypted MP4 files

Input validation

linux

Validate MP4 files before processing with MP4Box.

# Use tools like 'file' or custom validation scripts

🧯 If You Can't Patch

Restrict MP4Box to trusted, validated media files only
Run MP4Box in sandboxed/containerized environments with limited privileges

🔍 How to Verify

Check if Vulnerable:

Run 'MP4Box -version' and check if output shows version 2.4. Any 2.4 version is vulnerable.

Check Version:

MP4Box -version

Verify Fix Applied:

After update, run 'MP4Box -version' and confirm version is 2.5 or higher.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault (SEGV) errors in application logs
MP4Box crash reports
Core dumps from gpac processes

Network Indicators:

Unusual MP4 file uploads to media processing services
Repeated failed media processing attempts

SIEM Query:

process_name:"MP4Box" AND (event_type:crash OR error_message:"segmentation fault")

📊 Metadata

CVE ID: CVE-2024-50665

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.03% exploit probability (7.1th percentile)

Published: January 23, 2025

Last Updated: February 11, 2025

🔗 References

https://github.com/gpac/gpac/issues/2987 Exploit,Issue Tracking,Vendor Advisory
https://github.com/gpac/gpac/issues/2987 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50665, you might also want to check these: