CVE-2025-54072
Published: 22 July 2025
Summary
CVE-2025-54072 is a high-severity OS Command Injection (CWE-78) vulnerability in Yt-Dlp Project Yt-Dlp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked in the top 33.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-54072 is a remote code execution vulnerability in yt-dlp, a feature-rich command-line audio/video downloader, affecting versions 2025.06.25 and earlier. The issue arises on Windows when the --exec option is used with the default placeholder or {}, due to insufficient sanitization of the expanded filepath. This flaw represents a bypass of the mitigation implemented for CVE-2024-22423, as the default placeholder and {} were not covered by the new escaping rules. It is classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by controlling the filename of a downloaded file, such as through a malicious URL. An affected user must execute yt-dlp with the --exec option and the vulnerable placeholder, enabling the unsanitized filepath to inject arbitrary commands. This requires user interaction and high attack complexity but no privileges, potentially allowing the attacker to achieve high-impact confidentiality, integrity, and availability violations through arbitrary code execution on the victim's Windows system.
The yt-dlp security advisory (GHSA-45hg-7f49-5h56), release notes for version 2025.07.21, and the fixing commit (959ac99e98c3215437e573c22d64be42d361e863) confirm the issue is resolved in yt-dlp 2025.07.21. Windows users unable to upgrade are advised to avoid the --exec option entirely and instead use --write-info-json or --dump-json to generate JSON output for processing by external scripts or commands.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22381
Vulnerability details
yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This…
more
is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) via unsanitized filepath in --exec directly enables arbitrary Windows command execution (T1059.003); requires user to run yt-dlp against attacker-controlled malicious content (T1204.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of yt-dlp to version 2025.07.21 or later to remediate the command injection flaw in the --exec option.
Enforces input validation and sanitization of filepaths expanded by the default placeholder or {} in yt-dlp's --exec, preventing OS command injection.
Limits exposure by restricting or disabling risky features like yt-dlp's --exec option, aligning with the recommended workaround of using JSON output alternatives.