yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 23 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Yt-dlp Project
Yt-dlp Project yt-dlp
Vendors & Products Yt-dlp Project
Yt-dlp Project yt-dlp

Tue, 22 Jul 2025 21:45:00 +0000

Type Values Removed Values Added
Description yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.
Title yt-dlp allows `--exec` command injection when using placeholder on Windows
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-07-23T18:30:06.761Z

Reserved: 2025-07-16T13:22:18.205Z

Link: CVE-2025-54072

cve-icon Vulnrichment

Updated: 2025-07-23T18:30:00.764Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-07-22T22:15:37.943

Modified: 2025-07-25T15:29:44.523

Link: CVE-2025-54072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-23T17:36:00Z