NULL Pointer Dereference Affecting ffmpeg package, versions >=0.0.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.03% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-COCOAPODS-FFMPEG-8730894
  • published17 Feb 2025
  • disclosed17 Feb 2025
  • credit0x20z

Introduced: 17 Feb 2025

CVE-2025-1373  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

FFmpeg is a FFmpeg static library ruby binding that is compiled for iOS and CocoaPods.

Affected versions of this package are vulnerable to NULL Pointer Dereference due to the mov_read_trak function.

PoC

git clone https://github.com/FFmpeg/FFmpeg.git
cd FFmpeg
./configure --cc=clang --cxx=clang++ --toolchain=clang-asan --extra-cflags="-I$HOME/ffmpeg_build/include -O0 -fno-omit-frame-pointer -g"   --extra-cxxflags="-O0 -fno-omit-frame-pointer -g" --extra-ldflags="-L$HOME/ffmpeg_build/include -fsanitize=address -fsanitize=undefined -lubsan" --disable-optimizations --disable-stripping --enable-cross-compile
make -j30
./ffmpeg -y -i poc tmp.mp4

CVSS Base Scores

version 4.0
version 3.1