CVE-2025-62363
BaseFortify
Publication date: 2025-10-13
Last updated on: 2025-10-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yt-dlp | yt-dlp | * |
| zheny-creator | yt-grabber-tui | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in yt-grabber-tui versions before 1.0-rc allows an attacker who has write access to the configuration file or the filesystem location of the yt-dlp executable to replace the executable with malicious code or create a symlink to an arbitrary executable. When yt-grabber-tui runs yt-dlp, the malicious code is executed with the privileges of the user running the application.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to execution of arbitrary malicious code with the same privileges as the user running yt-grabber-tui. This can result in compromise of the user's system, including potential data theft, system manipulation, or further attacks.
What immediate steps should I take to mitigate this vulnerability?
Upgrade yt-grabber-tui to version 1.0-rc or later, as this version contains the patch for the vulnerability. Additionally, ensure that only trusted users have write access to the configuration file and the filesystem location of the yt-dlp executable to prevent replacement or symlink attacks.