{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-59728", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2025-09-19T08:11:37.549Z", "datePublished": "2025-10-06T08:08:27.410Z", "dateUpdated": "2025-10-06T08:08:27.410Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://git.ffmpeg.org/ffmpeg.git", "defaultStatus": "unaffected", "product": "MPEG-DASH", "repo": "https://git.ffmpeg.org/ffmpeg.git", "vendor": "FFmpeg", "versions": [{"lessThan": "8.0", "status": "affected", "version": "7.1.1", "versionType": "semver"}, {"lessThan": "8.0", "status": "affected", "version": "a218cafe4d3be005ab0c61130f90db4d21afb5db", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Google Big Sleep"}], "datePublic": "2025-07-21T22:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>When calculating the content path in handling of MPEG-DASH manifests, there's an out-of-bounds NUL-byte write one byte past the end of the buffer.When we call <code>xmlNodeGetContent</code>&nbsp;below [0], it returns a buffer precisely allocated to match the string length, using <code>strdup</code>&nbsp;internally. If this buffer is not an empty string, it is assigned to <code>root_url</code>&nbsp;at [1].If the last (non-NUL) byte in this buffer is not <code>'/'</code>&nbsp;then we append <code>'/'</code>&nbsp;in-place at [2]. This will write two bytes into the buffer, starting at the last valid byte in the buffer, writing the NUL byte beyond the end of the allocated buffer.<br>We recommend upgrading to version 8.0 or beyond.</p><br>"}], "value": "When calculating the content path in handling of MPEG-DASH manifests, there's an out-of-bounds NUL-byte write one byte past the end of the buffer.When we call xmlNodeGetContent\u00a0below [0], it returns a buffer precisely allocated to match the string length, using strdup\u00a0internally. If this buffer is not an empty string, it is assigned to root_url\u00a0at [1].If the last (non-NUL) byte in this buffer is not '/'\u00a0then we append '/'\u00a0in-place at [2]. This will write two bytes into the buffer, starting at the last valid byte in the buffer, writing the NUL byte beyond the end of the allocated buffer.\nWe recommend upgrading to version 8.0 or beyond."}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2025-10-06T08:08:27.410Z"}, "references": [{"url": "https://issuetracker.google.com/433502298"}], "source": {"discovery": "EXTERNAL"}, "title": "Heap-buffer-overflow write in FFmpeg MDASH resolve_content_path", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When calculating the content path in handling of MPEG-DASH manifests, there's an out-of-bounds NUL-byte write one byte past the end of the buffer.When we call xmlNodeGetContent\u00a0below [0], it returns a buffer precisely allocated to match the string length, using strdup\u00a0internally. If this buffer is not an empty string, it is assigned to root_url\u00a0at [1].If the last (non-NUL) byte in this buffer is not '/'\u00a0then we append '/'\u00a0in-place at [2]. This will write two bytes into the buffer, starting at the last valid byte in the buffer, writing the NUL byte beyond the end of the allocated buffer.\nWe recommend upgrading to version 8.0 or beyond."}], "id": "CVE-2025-59728", "lastModified": "2025-10-06T08:15:34.220", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2025-10-06T08:15:34.220", "references": [{"source": "cve-coordination@google.com", "url": "https://issuetracker.google.com/433502298"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{}

{}