CVE-2025-66203
Unknown Unknown - Not Provided
Remote Code Execution in StreamVault via Unsafe yt-dlp Args

Publication date: 2025-12-27

Last updated on: 2026-03-09

Assigner: GitHub, Inc.

Description
StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-27
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2025-12-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66203
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lemon8866 streamvault to 251126 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a Remote Code Execution (RCE) issue in the StreamVault application (SpiritApplication) prior to version 251126. It occurs because administrators can configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and later used to construct the command line for yt-dlp execution, allowing an attacker to execute arbitrary code remotely.

Impact Analysis

The vulnerability can allow an attacker with administrative privileges to execute arbitrary code on the system running StreamVault. This can lead to full system compromise, including unauthorized access, data theft, data modification, or denial of service.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the StreamVault application to version 251126 or later, where the issue has been patched.

Detection Guidance

This vulnerability can be detected by checking if the StreamVault application is running a version prior to 251126 (or specifically prior to 2025.11.12) and if the /admin/api/saveConfig endpoint allows setting yt-dlp arguments without validation. To detect exploitation attempts, you can look for unusual POST requests to /admin/api/saveConfig containing suspicious yt-dlp flags such as --exec or --exec-before-download. Additionally, monitoring for the creation of unexpected files like /tmp/success_rce on the server can indicate exploitation. Example commands to detect exploitation attempts include: 1) Using curl to check if the endpoint accepts malicious arguments: curl -X POST -H "Cookie: <admin_session_cookie>" -d '{"ytdlpargs":"--exec-before-download touch /tmp/success_rce"}' https://<streamvault_host>/admin/api/saveConfig 2) Checking for the presence of the file created by exploitation: ls -l /tmp/success_rce 3) Monitoring web server logs for POST requests to /admin/api/saveConfig with suspicious parameters. Note that detection requires administrative access or valid session tokens, as exploitation requires authentication. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66203. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart