We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-54072

yt-dlp allows `--exec` command injection when using placeholder on Windows



Description

yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.

Reserved 2025-07-16 | Published 2025-07-22 | Updated 2025-07-22 | Assigner GitHub_M


HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

< 2025.07.21
affected

References

github.com/...yt-dlp/security/advisories/GHSA-45hg-7f49-5h56

github.com/...ommit/959ac99e98c3215437e573c22d64be42d361e863

github.com/yt-dlp/yt-dlp/releases/tag/2025.07.21

cve.org (CVE-2025-54072)

nvd.nist.gov (CVE-2025-54072)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-54072

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.