The Security Landscape of the GPAC Open-Source Project: A Balanced Perspective

GPAC is an open-source multimedia framework used by many developers and organizations to manipulate, package, and stream multimedia content. Given the popularity of GPAC in media manipulation tasks, it has naturally caught the attention of security researchers and organizations such as the Cybersecurity and Infrastructure Security Agency (CISA). Over time, many bugs were discovered, a few vulnerabilities have been flagged, prompting some concern in the development community. However, these reports, especially the recent CISA GPAC advisories, are either outdated or have been adequately addressed by the GPAC team, rendering the issues largely non-serious today.

Understanding GPAC Vulnerabilities

Like any large software project written in C, dealing with bitstream parsing, and started at a time where security was not a concern, GPAC’s codebase has been exposed to many types of crashes and vulnerabilities when fed with wrong input data. The most recent CISA GPAC advisories on GPAC vulnerabilities, while helpful for raising awareness, highlight problems that are no longer pressing.

For example, certain vulnerabilities that surfaced in 2024, which included concerns around memory safety, buffer overflows, and input validation, have already been patched in newer releases.

While CISA’s advisories motivated the GPAC team to address these issues more quickly, it is crucial to understand that CISA GPAC reports have a delayed effect when disseminated to the public, meaning the issues are often resolved by the time the advisories are released.

Most of the vulnerabilities cited by CISA are also categorized as low to medium severity, meaning they do not pose immediate or significant risks for most users. Moreover, they primarily affect environments where the code is not sandboxed properly or where media files are processed directly from untrusted sources—scenarios that can often be mitigated with basic security best practices. Even so, beside causing a potential crash, the path to exploitation remains unclear, making most of these reports more of simple bugs than actual security vulnerabilities.

In addition GPAC has a security policy in place. We invite security researchers to follow the instructions for a swift analysis and resolution of their concerns.

Why The Recent CISA Issues Are Not Serious

A few key reasons illustrate why the CISA-reported GPAC issues are not a current concern:

  1. Timely Patching by the GPAC Team: GPAC’s developer community is highly active, with frequent updates and patches released. The vulnerabilities that CISA flagged have, in many cases, been swiftly addressed by GPAC developers. For example, buffer overflow issues raised in early 2023 were quickly resolved in subsequent software patches. The project’s maintainers work closely with the security community and enroll to the public fuzzing and analysis infrastructures to ensure that these issues are catched and mitigated before they are reported.
  2. Limited Exploitability: The majority of the flagged vulnerabilities require specific, often unrealistic conditions to be exploited. Many of the issues only become relevant when processing malicious media files in very particular environments. For developers who follow standard practices—such as sandboxing, using trusted input sources, and staying updated with the latest patches—the risk remains minimal.
  3. Open-Source Advantages: Being an open-source project, GPAC benefits from having many eyes on its codebase. Vulnerabilities are discovered faster, and the community of developers often provides fixes before any serious exploitation can occur. Additionally, transparency is a cornerstone of GPAC, allowing users to inspect the changes and patches themselves, contributing to a sense of shared responsibility and trust.

Practical Steps for Developers Using GPAC

While GPAC’s security situation is stable, it’s always wise to follow a few best practices when using open-source software:

  • Regularly Updated: Ensure you’re using the latest version of GPAC. The project is regularly maintained, and updates contain security fixes.
  • Sandbox Media Processing: When processing media files, especially from unknown or untrusted sources, use sandboxing to limit the impact of any potential vulnerabilities.
  • Monitor Vulnerability Feeds: Keep an eye on any new GPAC vulnerabilities of your deplyed version by keeping an eye on vulnerability databases like the National Vulnerability Database (NVD) to stay informed about any emerging issues that might affect you.
  • Harden Your Systems: Apply general hardening practices to your systems and environments that use GPAC, such as enabling ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention), and other standard security mechanisms.

Conclusion

The security issues surrounding GPAC, flagged by CISA and other agencies, have been managed with care by the open-source community. Most of the vulnerabilities were low to medium severity, and the project’s maintainers have been proactive in detecting and addressing them using a state-of-the-art security policy.

For developers and organizations using GPAC, following basic security practices—such as updating regularly and using sandboxing—ensures a safe and secure experience. The concerns raised by CISA’s GPAC advisories, while relevant at the time, have become outdated in the current context.

GPAC remains a robust and secure tool for multimedia processing and streaming, with a community that prioritizes both functionality and security.

MABR: “Multicast Adaptive BitRate”

Introduction: Hybrid by Default

GPAC has a long history of seamlessly blending transport channels, such as broadband and broadcast, to reassemble signals without interruption. This innovative approach is more relevant than ever as it resurfaces in the form of a hybrid unicast OTT combined with Adaptive Bitrate (ABR) streaming, aimed at reducing transport costs while maintaining quality.

GPAC’s commitment to mixing traditional broadcast media with modern interactive applications—what we proudly call “UltraMedia”—is at the core of our vision for the future of media. 

GPAC has been architected to embody this strong vision because we believe it is the future of media, supporting the convergence of media experiences across different platforms and formats. It’s exciting to see multicast and hybrid solutions gaining renewed attention as the industry evolves.

The Most Versatile Multicast-ABR Solution

GPAC stands as the only open-source solution that supports both ROUTE and FLUTE protocols, which is why it is highly regarded within industry consortiums. This makes GPAC the ideal platform for evaluating and experimenting with various protocols, offering reproducible results that can inform decisions on the best approaches to adopt.

Our expertise in ROUTE, showcased by our ATSC 3.0 implementation (which earned us a NAB Innovation Award in 2018), and our recent addition of FLUTE support for DVB-MABR (2024), highlight our commitment to staying at the forefront of technology. GPAC also supports DASH, HLS, and other media formats (albeit with some limitations), allowing users to leverage Multicast-ABR as they would any other format—whether for analyzing, dumping, or integrating with other content.

As we continue to push the boundaries of what’s possible, we value the feedback from our community. Your insights are invaluable to our journey; let us know what features or improvements you need as we shape the future of media together.

Practical Applications of Multicast-ABR

Over time, several compelling applications of multicast-ABR have emerged, showcasing the versatility and potential of this technology in different broadcasting scenarios:

  • Rich-Media Delivery via Broadcast Carousels: One of the standout applications is the use of carousels to send rich-media content over a broadcast signal. This method allows broadcasters to deliver interactive and enhanced content, such as multimedia presentations or additional data layers, alongside the main broadcast stream.
  • Layered Media Transmission: Another innovative use case involves sending a base layer on one channel and an improvement layer on another. This technique enables efficient bandwidth usage while still offering the option to enhance the content quality for users who have the capability to receive and process the additional data.
  • Separate Channel Media Distribution: There’s also the possibility of distributing different media components—such as audio, video, and subtitles—across separate channels. This approach can optimize the delivery process, ensuring that each component is transmitted with the appropriate level of quality and bandwidth allocation.

These examples underscore the adaptability of multicast-ABR and GPAC in addressing various media distribution challenges, further solidifying its role in the future of broadcast and streaming technologies.

The Evolution of IP Multicast in Broadcast

Over the last decade, traditional broadcast has found new life through IP multicast. On mobile networks, technologies like LTE and more recently 5G have driven the broadcasting of content, particularly within managed networks—spaces where IP multicast has been a mainstay for years. As consumer habits shift away from linear consumption, the challenge of merging OTT adaptive streaming with the efficiency of multicast has re-emerged, and GPAC is at the forefront of meeting this challenge.

GPAC’s involvement in HbbTV dates back to 2011, with carousel technologies in use for enhanced radio services as early as 2009 through initiatives like the Radio+ project. When ATSC 3.0 proposed ROUTE, GPAC quickly implemented it, earning the 2018 NAB Innovation Award. This achievement was made possible through the collaborative efforts of our academic partner, Telecom Paris, and GPAC’s commercial arm, Motion Spell, as part of the ConvergenceTV consortium.

Fast forward to 2023, and Motion Spell (the commercial entity backing GPAC) has been selected as the DVB MABR (leveraging FLUTE, a protocol related to ROUTE) solution, positioning it as a potential future standard in the industry. This recognition further cements our role as a leader in the development of cutting-edge media delivery technologies.

Innovating with Sustainability: The SMART-CD Initiative

In media technology, sustainability has become increasingly important. At GPAC, we recognize that innovation must go hand in hand with environmental responsibility. That’s why we’re proud to be part of the SMART-CD consortium, which stands for “Sustainable Media Architecture for TV Content Delivery,” an initiative aimed at addressing the environmental and technological challenges associated with TV service distribution. 

This consortium focuses on optimizing video distribution infrastructure, reducing redundancy in content production and delivery, and developing energy-efficient codecs and transport protocols. This initiative is dedicated to exploring how MABR can reduce the environmental footprint of media delivery, all while maintaining the high-quality experiences that consumers expect. One of its key goals is to create metrics to accurately measure and reduce the carbon footprint of video streaming, particularly within cloud-native architectures.

Through SMART-CD, we are conducting rigorous experiments to assess the potential for energy savings and other environmental benefits when deploying MABR technology. This work not only reinforces GPAC’s commitment to cutting-edge media solutions but also highlights our dedication to driving sustainability within the industry.

The consortium is a collaboration between various industry leaders, including Motion Spell, Telecom Paris, Ateme, Viaccess-Orca, Nexedi, Greenweb and others, and is working on building a sustainable video streaming ecosystem. This includes creating a monitoring framework to collect environmental impact data and an orchestration agent to dynamically manage energy efficiency across the entire video delivery chain​.

Conclusion

The journey towards perfecting multicast-ABR and its integration into modern media landscapes is ongoing. At GPAC, we are proud to contribute to this evolving narrative, combining our technical expertise with a forward-thinking approach. As we continue to innovate, we invite you to join us in shaping the future of media.

Introducing GPAC.WASM – the new WebAssembly Interface to try GPAC

Embarking on the multimedia processing journey with GPAC has never been easier or more accessible, thanks to the GPAC Web Assembly (WASM) Platform. This innovative new interface is designed with every user in mind, from coding novices to seasoned command-line veterans. 

By removing the need for installation and offering a straightforward, interactive interface, we’re opening up the world of GPAC to a broader audience than ever before. No matter your experience level, the GPAC WASM Platform provides a welcoming space to experiment with, learn, and leverage GPAC’s comprehensive multimedia capabilities. 

Dive into our ready-to-use commands or craft your own to see what GPAC can do for you, all while bypassing the common hurdles of getting started. Join us in demystifying multimedia processing, making it more approachable and enjoyable for everyone.

What can you do with the new GPAC WASM Platform?

Before we dive into the possibilities unlocked by the GPAC WASM Platform, let’s take a moment to understand the technology it’s built upon: WebAssembly (WASM).

WebAssembly (WASM) enables high-performance execution of code on Web browsers, providing a fast and efficient alternative to JavaScript for Web applications. WebAssembly represents a significant advancement in performance, bridging the gap between native applications and Web browsers. 

The new GPAC WASM platform opens up exciting possibilities for everyone to experience the power of GPAC with just one click. 

Historically, leveraging GPAC’s full suite of multimedia processing tools required a certain level of technical know-how, including installation and command-line navigation. This necessity often posed a daunting barrier for many, from individuals curious about multimedia processing to professionals seeking efficient, browser-based solutions.

The new platform showcases popular use-cases along with their corresponding command-lines, guiding users effortlessly into the world of GPAC.

  • Audiovisual Play:
    • Command: gpac -i https://wasm-cli.staging.motionspell.com/data/video_180.mp4 -i https://wasm-cli.staging.motionspell.com/data/audio.mp4 aout vout
    • Plays an audiovisual file combining video and audio streams from the provided URLs. This demonstrates GPAC’s capability to synchronize and render multimedia content.
  • Inspect Media:
    • Command: gpac -i https://wasm-cli.staging.motionspell.com/data/video_180.mp4 -i https://wasm-cli.staging.motionspell.com/data/audio.mp4 inspect:full
    • Provides a detailed analysis of the media properties for both the video and audio streams. It’s a powerful tool for understanding the technical specifics and encoding parameters of multimedia files.
  • Trick Mode:
    • Command: gpac -i https://wasm-cli.staging.motionspell.com/data/video_180.mp4 @#Video reframer:saps=1 @ -o iframes.mp4
    • Demonstrates the manipulation of a video stream to extract and save only the I-frames to a new file. This is particularly useful for editing, analyzing, or optimizing video content.
  • Extra Content from a .mpd:
    • Command: gpac -i https://wasm-cli.staging.motionspell.com/data/dash/bbb_30fps.mpd dashin:forward=file -o 'dump/$File$':dynext
    • Shows how to process adaptive streaming content (DASH) by downloading segments from a .mpd (Media Presentation Description) file and saving them. It highlights GPAC’s capabilities in handling streaming media and adaptive bitrate streaming.

As GPAC 2.0 brought support for Python and NodeJS, we felt WebAssembly had the potential to become our next binding (even before the C#, Go, or Rust bindings our community has been discussing).

The introduction of GPAC WASM Platform marks a pivotal development made possible by the GPAC Community. It creates new pathways for usage and deployment scenarios that leverage the versatility of the web. 

This evolution of GPAC through WebAssembly harnesses the power of the web to bring multimedia processing to a wider audience, overcoming barriers previously posed by installation requirements and technical complexities. 

Despite the inherent limitations set by the WebAssembly specification, toolchains, and web browser constraints, we are committed to expanding the platform’s capabilities based on user feedback. 

While the WASM Platform offers a convenient and accessible way to explore many of GPAC’s features, it is worth noting that this web-based version represents a curated selection of what GPAC can do. For those who find themselves bumping up against these boundaries and seeking access to GPAC’s full suite of tools and capabilities, we recommend considering a native installation of GPAC. Doing so may provide a more extensive and in-depth multimedia processing experience.

By bridging the gap between ease of access and powerful functionality, we hope to foster a community of users who feel empowered to experiment with and contribute to the evolution of GPAC. Whether through the GPAC WASM Platform or a native installation, there’s a wealth of potential waiting to be discovered for your multimedia projects.

GPAC 2.4

We are happy to announce the release of GPAC 2.4

This release marks the beginning of GPAC in your browser with emscripten support, with a live demo at https://wasm.gpac.io !

This release also brings many new features including pcap support, async net IOs, JIT packaging for on-demand content and better subtitle/CC support.

As usual, installers are available on gpac.io for most common platforms.

Enjoy, give us feedback and spread the news!

Continue reading GPAC 2.4

GPAC documentation updates

Announcing New Documentation for GPAC

For over two decades, GPAC and MP4Box have been at the forefront of multimedia processing innovation, continuously evolving and expanding their capabilities. This journey has seen the software mature and grow in scope over time. The documentation, too, has accumulated and evolved, with specific portions even becoming deprecated. As the GPAC landscape widened, we saw a need for accessible, up-to-date documentation that was able to grow alongside our technologies.

Ten years ago as we moved to GitHub for our public version control server, we migrated to the github wiki system: a nice improvement in developer experience to produce documentation at the time. This move marked a significant step forward, enhancing the developer experience and facilitating the creation and sharing of knowledge.

But today, with the large amount of documentation now provided to cover usage of GPAC filters along MP4Box, we felt the GitHub Wiki had shown its limits: the combined lack of support for HTTP redirects and poor search functionality of GitHub’s Wiki made it less appealing compared to the many alternatives available these days for software documentation.

Introducing a better documentation solution based on mkdocs

We settled with the excellent mkdocs framework, using the popular materials for mkdocs theme. This transition is not merely a change of platform but a significant upgrade to how our community accesses and interacts with GPAC documentation.

The upgrade provides a more refined user experience, a nicer look and feel on any device, a light and dark mode, improved navigation, an intuitive layout and table of contents. 

The upgraded GPAC Wiki is now hosted in a github repository of its own, making it easier to welcome contributions to the documentation.

But most importantly, the new documentation is now instantly searchable, making it easier than ever to find the relevant information for your MP4Box and GPAC use cases:

We invite you to explore the new documentation site at wiki.gpac.io.

Your feedback is invaluable to us, you can contribute the documentation or share your suggestions for improvements as issues on github.