CVE-2025-54072

Source
https://cve.org/CVERecord?id=CVE-2025-54072
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54072.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-54072
Aliases
  • GHSA-45hg-7f49-5h56
Published
2025-07-22T21:34:43.408Z
Modified
2026-07-15T01:48:52.969083262Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
yt-dlp allows `--exec` command injection when using placeholder on Windows
Details

yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54072.json"
}
References

Affected packages

Git / github.com/yt-dlp/yt-dlp

Affected ranges

Type
GIT
Repo
https://github.com/yt-dlp/yt-dlp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2025.07.21"
        }
    ]
}

Affected versions

2021.*
2021.01.07
2021.01.08
2021.01.09
2021.01.10
2021.01.12
2021.01.14
2021.01.16
2021.01.20
2021.01.29
2021.02.04
2021.02.09
2021.02.15
2021.02.19
2021.02.24
2021.03.01
2021.03.03.2
2021.03.07
2021.03.15
2021.03.24
2021.03.24.1
2021.04.03
2021.04.11
2021.04.22
2021.05.11
2021.06.01
2021.06.08
2021.06.09
2021.06.23
2021.07.07
2021.07.21
2021.07.24
2021.08.02
2021.08.10
2021.09.02
2021.09.25
2021.10.09
2021.10.10
2021.10.22
2021.11.10
2021.11.10.1
2021.12.01
2021.12.25
2021.12.27
2022.*
2022.02.03
2022.02.04
2022.03.08.1
2022.04.08
2022.05.18
2022.06.22
2022.06.22.1
2022.06.29
2022.07.18
2022.08.08
2022.08.14
2022.08.19
2022.09.01
2022.10.04
2022.11.11
2023.*
2023.01.02
2023.01.06
2023.02.17
2023.03.03
2023.03.04
2023.06.21
2023.06.22
2023.07.06
2023.09.24
2023.10.07
2023.10.13
2023.11.14
2023.11.16
2023.12.30
2024.*
2024.03.10
2024.04.09
2024.05.26
2024.05.27
2024.07.01
2024.07.02
2024.07.07
2024.07.08
2024.07.09
2024.07.16
2024.07.25
2024.08.01
2024.08.06
2024.09.27
2024.10.07
2024.10.22
2024.11.04
2024.11.18
2024.12.03
2024.12.06
2024.12.13
2024.12.23
2025.*
2025.01.12
2025.01.15
2025.01.26
2025.02.19
2025.03.21
2025.03.25
2025.03.26
2025.03.27
2025.03.31
2025.04.30
2025.05.22
2025.06.09
2025.06.25
2025.06.30

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54072.json"