CVE-2024-57184 – A heap-based buffer overflow vulnerability exis... (How to Fix)

Q: What is the severity of CVE-2024-57184?

CVE-2024-57184 has a CVSS score of 5.5 (MEDIUM). A heap-based buffer overflow vulnerability exists in GPAC v0.8.0's MP4Box tool when processing crafted MP4 files. This can cause denial of service (crash) and potentially allow arbitrary code execution. Users and systems processing untrusted MP4 files with GPAC are affected.

📋 TL;DR

A heap-based buffer overflow vulnerability exists in GPAC v0.8.0's MP4Box tool when processing crafted MP4 files. This can cause denial of service (crash) and potentially allow arbitrary code execution. Users and systems processing untrusted MP4 files with GPAC are affected.

💻 Affected Systems

Products:

GPAC
MP4Box

Versions: v0.8.0 specifically (check commit history for other potentially affected versions)

Operating Systems: All platforms running GPAC

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the MPEG-TS processing component when handling PMT (Program Map Table) data.

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if heap manipulation succeeds.

🟠

Likely Case

Denial of service (application crash) when processing malicious MP4 files.

🟢

If Mitigated

Application crash with no further impact if exploit fails or is contained.

🌐 Internet-Facing: MEDIUM - Only affects systems processing uploaded MP4 files from untrusted sources.

🏢 Internal Only: LOW - Requires processing of malicious MP4 files, which is less common internally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires crafting a malicious MP4 file; heap manipulation for RCE is complex but DoS is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 8c5e847185d74462d674ee7d28fb46c29dae6dd2

Vendor Advisory: https://github.com/gpac/gpac/issues/1421

Restart Required: No

Instructions:

1. Update GPAC to latest version from official repository. 2. Rebuild from source if using custom builds. 3. Replace MP4Box binary with patched version.

🔧 Temporary Workarounds

Input validation

all

Validate MP4 files before processing with GPAC tools

Sandbox execution

linux

Run MP4Box in container or sandboxed environment

docker run --rm -v $(pwd):/data gpac/gpac mp4box [options]

🧯 If You Can't Patch

Restrict MP4 file processing to trusted sources only
Implement application allowlisting to prevent unauthorized GPAC/MP4Box execution

🔍 How to Verify

Check if Vulnerable:

Check GPAC version: mp4box -version | grep 'GPAC'

Check Version:

mp4box -version 2>&1 | head -1

Verify Fix Applied:

Verify commit hash includes 8c5e847 or check version is newer than v0.8.0

📡 Detection & Monitoring

Log Indicators:

GPAC/MP4Box crash logs
Segmentation fault errors
Abnormal process termination

Network Indicators:

Unusual MP4 file uploads to processing systems

SIEM Query:

process_name:"mp4box" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2024-57184

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-120

EPSS Score: 0.03% exploit probability (8th percentile)

Published: January 24, 2025

Last Updated: June 27, 2025

🔗 References

https://github.com/gpac/gpac/commit/8c5e847185d74462d674ee7d28fb46c29dae6dd2 Patch
https://github.com/gpac/gpac/issues/1421 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57184, you might also want to check these: