Description

yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.

INFO

Published Date :

2025-07-22T21:34:43.408Z

Last Modified :

2025-07-23T18:30:06.761Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-54072 vulnerability.

Vendors Products
Yt-dlp Project
  • Yt-dlp
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54072.

URL Resource
https://github.com/yt-dlp/yt-dlp/commit/959ac99e98c3215437e573c22d64be42d361e863 cve-icon cve-icon
https://github.com/yt-dlp/yt-dlp/releases/tag/2025.07.21 cve-icon cve-icon
https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-45hg-7f49-5h56 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact