CVE-2025-54072
BaseFortify
Publication date: 2025-07-22
Last updated on: 2025-10-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yt-dlp_project | yt-dlp | to 2025.07.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in yt-dlp versions 2025.06.25 and below occurs when the --exec option is used on Windows with the default placeholder (or {}). Insufficient sanitization of the expanded filepath allows an attacker to execute remote code. It bypasses previous mitigation efforts for CVE-2024-22423 because the default placeholder and {} were not properly escaped.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code remotely on a Windows system running vulnerable versions of yt-dlp with the --exec option. This can lead to full compromise of the affected system, including unauthorized access, data theft, or system damage.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, Windows users should avoid using the --exec option with yt-dlp until they can upgrade to version 2025.07.21 or later. Instead, use the --write-info-json or --dump-json options and process the JSON output with an external script or command line. Upgrading to version 2025.07.21, where the issue is fixed, is the recommended solution.