CVE-2025-70308 – An out-of-bounds read vulnerability in GPAC's G... (How to Fix)

Q: What is the severity of CVE-2025-70308?

CVE-2025-70308 has a CVSS score of 7.5 (HIGH). An out-of-bounds read vulnerability in GPAC's GSF demuxer filter allows attackers to cause denial of service by processing a malicious .gsf file. This affects systems running GPAC v2.4.0 that process multimedia files. Users who open untrusted .gsf files are at risk.

📋 TL;DR

An out-of-bounds read vulnerability in GPAC's GSF demuxer filter allows attackers to cause denial of service by processing a malicious .gsf file. This affects systems running GPAC v2.4.0 that process multimedia files. Users who open untrusted .gsf files are at risk.

💻 Affected Systems

Products:

GPAC (Multimedia Framework)

Versions: v2.4.0

Operating Systems: All platforms running GPAC

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with GPAC installed and configured to process .gsf files.

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash or service disruption of GPAC-based applications, potentially affecting dependent services.

🟠

Likely Case

Application crash when processing malicious .gsf files, causing temporary DoS for affected multimedia processing.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing of file processing.

🌐 Internet-Facing: MEDIUM - Risk exists if GPAC processes user-uploaded files via web services, but requires specific .gsf file format.

🏢 Internal Only: LOW - Requires local file processing of crafted .gsf files, limiting attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available on GitHub demonstrates DoS via crafted .gsf file. Exploitation requires victim to process malicious file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Monitor GPAC security advisories for patch release. 2. Check for updated version beyond v2.4.0. 3. Apply patch when available from official GPAC repository.

🔧 Temporary Workarounds

Disable GSF demuxer processing

linux

Remove or disable the vulnerable GSF demuxer component to prevent exploitation.

# For Linux: Remove or rename GSF demuxer plugin
sudo mv /usr/lib/gpac/libgsf_demux.so /usr/lib/gpac/libgsf_demux.so.disabled

Restrict .gsf file processing

all

Implement file type restrictions to block .gsf files from being processed by GPAC.

# Configure application firewall or file filter rules

🧯 If You Can't Patch

Implement strict input validation for all multimedia files processed by GPAC
Sandbox GPAC processes to limit impact of potential crashes

🔍 How to Verify

Check if Vulnerable:

Check GPAC version: gpac -version. If output shows v2.4.0, system is vulnerable.

Check Version:

gpac -version 2>/dev/null || echo 'GPAC not installed'

Verify Fix Applied:

After applying workarounds, attempt to process a test .gsf file to confirm GSF demuxer is disabled.

📡 Detection & Monitoring

Log Indicators:

GPAC crash logs with segmentation faults
Application errors mentioning GSF demuxer or out-of-bounds reads

Network Indicators:

Unusual .gsf file transfers to systems running GPAC

SIEM Query:

source="application_logs" AND ("GPAC" OR "gsf") AND ("crash" OR "segmentation fault" OR "out of bounds")

📊 Metadata

CVE ID: CVE-2025-70308

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

EPSS Score: 0.05% exploit probability (15.2th percentile)

Published: January 15, 2026

Last Updated: January 23, 2026

🔗 References

https://github.com/zakkanijia/POC/blob/main/gpac_gsf/GPAC_gsf.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70308, you might also want to check these: