Unhandled SWF Tags in MP4Box: Potential Vulnerability in GPAC in gpac/gpac


Reported on

Mar 22nd 2023

An unhandled series of SWF tags have been identified in the MP4Box software, which is part of the GPAC multimedia framework. These tags are not properly processed, leading to potential vulnerabilities such as denial of service, buffer overflows, or other malicious attacks.

POC: # ./MP4Box -dash 1000 POC4 LINK: https://drive.google.com/file/d/1hHzxolxklZDG_wtowwUEmel9-HAya9Az/view?usp=share_link


As a result of these unhandled tags, the software may be prone to exploitation by attackers, who can leverage the vulnerability to compromise the affected system, steal sensitive information, or disrupt normal operations. It is recommended to promptly patch or update the software to a version that addresses these issues to minimize the risk of potential attacks.

We are processing your report and will contact the gpac team within 24 hours. 2 months ago
We have contacted a member of the gpac team and are waiting to hear back 2 months ago
gpac/gpac maintainer
2 months ago



gpac/gpac maintainer validated this vulnerability 2 months ago
Juan Pablo Lopez Yacubian has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.4.0 with commit 2c0551 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
gpac/gpac maintainer published this vulnerability 2 months ago
to join this conversation