CVE-2025-7797

A vulnerability was found in GPAC up to 2.4. It has been rated as problematic. Affected by this issue is the function gf_dash_download_init_segment of the file src/media_tools/dash_client.c. The manipulation of the argument base_init_url leads to null pointer dereference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 153ea314b6b053db17164f8bc3c7e1e460938eaa. It is recommended to apply a patch to fix this issue.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://drive.google.com/file/d/1Z-C6RajpZ40ujo1iGNt3_mG855mPbs1Q/view?usp=share_link	Exploit
https://github.com/gpac/gpac/commit/153ea314b6b053db17164f8bc3c7e1e460938eaa	Patch
https://vuldb.com/?ctiid.316862	Permissions Required VDB Entry
https://vuldb.com/?id.316862	Third Party Advisory VDB Entry
https://vuldb.com/?submit.616664	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*

History

03 Oct 2025, 16:43

Type	Values Removed	Values Added
First Time		Gpac Gpac gpac
CPE		cpe:2.3:a:gpac:gpac::::::::
References	~~() https://drive.google.com/file/d/1Z-C6RajpZ40ujo1iGNt3_mG855mPbs1Q/view?usp=share_link -~~	() https://drive.google.com/file/d/1Z-C6RajpZ40ujo1iGNt3_mG855mPbs1Q/view?usp=share_link - Exploit
References	~~() https://github.com/gpac/gpac/commit/153ea314b6b053db17164f8bc3c7e1e460938eaa -~~	() https://github.com/gpac/gpac/commit/153ea314b6b053db17164f8bc3c7e1e460938eaa - Patch
References	~~() https://vuldb.com/?ctiid.316862 -~~	() https://vuldb.com/?ctiid.316862 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.316862 -~~	() https://vuldb.com/?id.316862 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.616664 -~~	() https://vuldb.com/?submit.616664 - Third Party Advisory, VDB Entry

22 Jul 2025, 13:06

Type	Values Removed	Values Added
Summary		(es) Se encontró una vulnerabilidad en GPAC hasta la versión 2.4. Se ha clasificado como problemática. Este problema afecta a la función gf_dash_download_init_segment del archivo src/media_tools/dash_client.c. La manipulación del argumento base_init_url provoca la desreferenciación de puntero nulo. El ataque puede ejecutarse en remoto. Se ha hecho público el exploit y puede que sea utilizado. El parche se identifica como 153ea314b6b053db17164f8bc3c7e1e460938eaa. Se recomienda aplicar un parche para solucionar este problema.

18 Jul 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-18 18:15

Updated : 2025-10-03 16:43

NVD link : CVE-2025-7797

Mitre link : CVE-2025-7797

CVE.ORG link : CVE-2025-7797

JSON object : View

Products Affected

gpac

gpac

CWE

CWE-404

Improper Resource Shutdown or Release

CWE-476

NULL Pointer Dereference

5.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2025-7797

5.3^/10

5.0^/10

Attach tags to `CVE-2025-7797`