CVE Alert: CVE-2025-54072
Vulnerability Summary: CVE-2025-54072
yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the –exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using –exec altogether. Instead, the –write-info-json or –dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.
Affected Endpoints:
No affected endpoints listed.
Published Date:
7/22/2025, 10:15:37 PM
🔥 CVSS Score:
Exploit Status:
Not ExploitedReferences:
- https://github.com/yt-dlp/yt-dlp/commit/959ac99e98c3215437e573c22d64be42d361e863
- https://github.com/yt-dlp/yt-dlp/releases/tag/2025.07.21
- https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-45hg-7f49-5h56
Recommended Action:
No proposed action available. Please refer to vendor documentation for updates.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
