CVE-2025-66203
Remote Code Execution in StreamVault via Unsafe yt-dlp Args
Publication date: 2025-12-27
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lemon8866 | streamvault | to 251126 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Remote Code Execution (RCE) issue in the StreamVault application (SpiritApplication) prior to version 251126. It occurs because administrators can configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and later used to construct the command line for yt-dlp execution, allowing an attacker to execute arbitrary code remotely.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with administrative privileges to execute arbitrary code on the system running StreamVault. This can lead to full system compromise, including unauthorized access, data theft, data modification, or denial of service.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the StreamVault application to version 251126 or later, where the issue has been patched.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the StreamVault application is running a version prior to 251126 (or specifically prior to 2025.11.12) and if the /admin/api/saveConfig endpoint allows setting yt-dlp arguments without validation. To detect exploitation attempts, you can look for unusual POST requests to /admin/api/saveConfig containing suspicious yt-dlp flags such as --exec or --exec-before-download. Additionally, monitoring for the creation of unexpected files like /tmp/success_rce on the server can indicate exploitation. Example commands to detect exploitation attempts include: 1) Using curl to check if the endpoint accepts malicious arguments: curl -X POST -H "Cookie: <admin_session_cookie>" -d '{"ytdlpargs":"--exec-before-download touch /tmp/success_rce"}' https://<streamvault_host>/admin/api/saveConfig 2) Checking for the presence of the file created by exploitation: ls -l /tmp/success_rce 3) Monitoring web server logs for POST requests to /admin/api/saveConfig with suspicious parameters. Note that detection requires administrative access or valid session tokens, as exploitation requires authentication. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.