CVE-2023-6605: 
Ffmpeg vulnerability analysis and mitigation

CVE-2023-6605 is a vulnerability discovered in FFmpeg's DASH (Dynamic Adaptive Streaming over HTTP) playlist support. The vulnerability was disclosed on January 6, 2025, affecting FFmpeg versions 4.2 through 6.0 when compiled with libxml2 support (NVD, RedHat Bugzilla).

The vulnerability stems from the DASH demuxer's failure to check the protocol whitelist before triggering the HTTP demuxer. This behavior results in the whitelist being updated to include multiple protocols including http, https, tls, rtp, tcp, udp, crypto, httpproxy, and data. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows an attacker to make arbitrary HTTP GET requests on behalf of the machine running FFmpeg. Since the responses to these HTTP requests are treated as input to FFmpeg, an attacker can construct a DASH playlist that first requests content from an attacker-controlled web server, potentially leading to data exfiltration (RedHat Bugzilla).

The recommended mitigation is to restrict DASH playlist URIs to only data:// and file:// protocols unless otherwise specified with protocolwhitelist. Organizations should also consider implementing strict input validation and controlling which protocols are allowed in their FFmpeg deployments ([RedHat Bugzilla](https://bugzilla.redhat.com/showbug.cgi?id=2334336)).