CVE-2025-43858

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-43858
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43858.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-43858
Aliases
Related
Published
2025-04-24T18:15:20Z
Modified
2025-04-29T14:49:18.920827Z
Summary
[none]
Details

YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting yt-dlp from a commands prompt running on Windows OS with the UseWindowsEncodingWorkaround value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2.

References

Affected packages

Git / github.com/bluegrams/youtubedlsharp

Affected ranges

Type
GIT
Repo
https://github.com/bluegrams/youtubedlsharp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v.*

v.1.0.0
v.1.1.0