CVE-2025-43858

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-43858
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43858.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-43858
Aliases
Published
2025-04-24T18:04:48.447Z
Modified
2025-11-20T12:36:19.483054Z
Severity
  • 9.2 (Critical) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
Summary
YoutubeDLSharp allows command injection on windows system due to non sanitized arguments
Details

YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting yt-dlp from a commands prompt running on Windows OS with the UseWindowsEncodingWorkaround value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2.

Database specific 
{
    "cwe_ids": [
        "CWE-77",
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/bluegrams/youtubedlsharp

Affected ranges

Type
GIT
Repo
https://github.com/bluegrams/youtubedlsharp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b6051372bd5af30f95f73de47d9bc71c3a07de0f
Fixed
fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50

Affected versions

v.*

v.1.0.0
v.1.1.0