CVE-2025-59728 in MPEG-DASHinfo

Summary

by MITRE • 10/06/2025

When calculating the content path in handling of MPEG-DASH manifests, there's an out-of-bounds NUL-byte write one byte past the end of the buffer.When we call xmlNodeGetContent below [0], it returns a buffer precisely allocated to match the string length, using strdup internally. If this buffer is not an empty string, it is assigned to root_url at [1].If the last (non-NUL) byte in this buffer is not '/' then we append '/' in-place at [2]. This will write two bytes into the buffer, starting at the last valid byte in the buffer, writing the NUL byte beyond the end of the allocated buffer.
We recommend upgrading to version 8.0 or beyond.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 06/21/2026

The vulnerability described in CVE-2025-59728 represents a critical buffer overflow condition that occurs during MPEG-DASH manifest processing within media streaming software. This flaw manifests when the application calculates content paths during XML manifest handling, specifically when processing the root URL of media segments. The issue stems from improper buffer boundary management during string manipulation operations, creating a scenario where memory corruption can occur beyond the intended allocation boundaries.

The technical implementation of this vulnerability involves the xmlNodeGetContent function which returns a buffer sized exactly to accommodate the string length without including the null terminator. When the returned string is not empty, it gets assigned to root_url variable, and subsequent processing logic attempts to append a forward slash character in-place if the final non-null byte is not already a slash. This in-place modification operation writes two bytes into memory - the slash character followed by a null terminator - effectively writing one byte past the end of the originally allocated buffer space.

This type of vulnerability falls under CWE-121, heap-based buffer overflow, and more specifically aligns with CWE-787, out-of-bounds write, as the application writes beyond the allocated memory boundaries. The flaw operates at the intersection of memory management and string processing, where the assumption that sufficient buffer space exists for in-place modification proves incorrect. The vulnerability is particularly concerning in media processing applications as it can be triggered through malformed manifest files that attackers could craft to exploit this condition.

The operational impact of CVE-2025-59728 extends beyond simple memory corruption, as it creates potential for arbitrary code execution or application instability. When an application writes beyond allocated buffer boundaries, it can overwrite adjacent memory locations, potentially corrupting other data structures, function pointers, or control flow information. This makes the vulnerability suitable for exploitation through the ATT&CK framework's technique T1059.007, which covers command and script interpreter execution, or potentially T1068, which involves exploit for privilege escalation. The vulnerability affects applications that process MPEG-DASH manifests, which are commonly used in streaming media services, making it particularly relevant to content delivery networks, media players, and streaming platforms.

The recommended mitigation strategy involves upgrading to version 8.0 or later, which addresses the buffer overflow condition through proper memory allocation and boundary checking. The fix should ensure that sufficient buffer space is allocated to accommodate potential in-place modifications, including the additional null terminator that may be required. Security teams should also implement additional safeguards such as input validation for manifest files, memory protection mechanisms, and regular security updates to prevent exploitation of similar buffer overflow vulnerabilities in related components. Organizations should conduct thorough testing of the upgrade to ensure compatibility while addressing the identified memory corruption vulnerability.

Responsible

Google

Reservation

09/19/2025

Disclosure

10/06/2025

Moderation

accepted

CPE

ready

EPSS

0.00172

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!