CVE-2025-70299 – A heap overflow vulnerability in GPAC's AVI fil... (How to Fix)

Q: What is the severity of CVE-2025-70299?

CVE-2025-70299 has a CVSS score of 6.5 (MEDIUM). A heap overflow vulnerability in GPAC's AVI file parser allows attackers to cause denial of service by providing a specially crafted AVI file. This affects systems running GPAC v2.4.0 that process untrusted AVI files, potentially impacting media servers, video processing applications, and users opening malicious files.

📋 TL;DR

A heap overflow vulnerability in GPAC's AVI file parser allows attackers to cause denial of service by providing a specially crafted AVI file. This affects systems running GPAC v2.4.0 that process untrusted AVI files, potentially impacting media servers, video processing applications, and users opening malicious files.

💻 Affected Systems

Products:

GPAC (Multimedia Framework)

Versions: v2.4.0

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using GPAC to parse AVI files is vulnerable. This includes media servers, video editors, and applications embedding GPAC libraries.

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash or service disruption leading to unavailability of GPAC-dependent applications, with potential for remote code execution if heap manipulation succeeds.

🟠

Likely Case

Denial of service causing application crashes when processing malicious AVI files, disrupting media processing workflows.

🟢

If Mitigated

Contained application crash without system-wide impact if proper sandboxing and privilege separation are implemented.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept demonstrates reliable DoS via crafted AVI file. Weaponization for RCE would require additional heap manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not yet released

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Monitor GPAC security advisories for patch release. 2. Upgrade to patched version when available. 3. Restart affected services after patching.

🔧 Temporary Workarounds

Input Validation Filter

all

Block or sanitize AVI file processing in GPAC applications

# Configure application to reject AVI files or use file type restrictions

Sandbox Execution

linux

Run GPAC in isolated containers with limited privileges

docker run --read-only --cap-drop=ALL -v /safe_input:/input gpac_container

🧯 If You Can't Patch

Implement strict file upload controls to block AVI files from untrusted sources
Deploy network segmentation to isolate GPAC servers from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check GPAC version: gpac -version. If output shows 2.4.0, system is vulnerable.

Check Version:

gpac -version 2>&1 | head -1

Verify Fix Applied:

After patching, verify version is higher than 2.4.0 and test with known malicious AVI file.

📡 Detection & Monitoring

Log Indicators:

GPAC segmentation fault logs
Application crash reports mentioning avi_parse_input_file
Abnormal process termination of GPAC applications

Network Indicators:

Unusual AVI file transfers to media servers
Multiple failed media processing requests

SIEM Query:

source="*gpac*" AND ("segmentation fault" OR "heap overflow" OR "avi_parse")

📊 Metadata

CVE ID: CVE-2025-70299

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-122

EPSS Score: 0.05% exploit probability (14.2th percentile)

Published: January 15, 2026

Last Updated: January 30, 2026

🔗 References

https://github.com/zakkanijia/POC/blob/main/gpac_avi/GPAC_AVI_indx_heap_overflow.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70299, you might also want to check these: