CVE-2025-54072 — Project Yt-dlp vulnerability

2 documents2 sources

Severity

8.1HIGHNVD

EPSS

0.2%

top 60.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Yt-dlp Project Yt-dlp Debian Yt-dlp

Timeline

PublishedJul 22

Description

yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

▶NVDyt-dlp_project/yt-dlp< 2025.07.21

▶debiandebian/yt-dlp

Patches

Patch: github.com ↗

📋Vendor Advisories

Debian

CVE-2025-54072: yt-dlp - yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.0...↗2025

▶