CVE-2025-54072
Published: 22 July 2025
Summary
CVE-2025-54072 is a high-severity OS Command Injection (CWE-78) vulnerability in Yt-Dlp Project Yt-Dlp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) via unsanitized filepath in --exec directly enables arbitrary Windows command execution (T1059.003); requires user to run yt-dlp against attacker-controlled malicious content (T1204.002).
NVD Description
yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This…
more
is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.
Deeper analysisAI
CVE-2025-54072 is a remote code execution vulnerability in yt-dlp, a feature-rich command-line audio/video downloader, affecting versions 2025.06.25 and earlier. The issue arises on Windows when the --exec option is used with the default placeholder or {}, due to insufficient sanitization of the expanded filepath. This flaw represents a bypass of the mitigation implemented for CVE-2024-22423, as the default placeholder and {} were not covered by the new escaping rules. It is classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by controlling the filename of a downloaded file, such as through a malicious URL. An affected user must execute yt-dlp with the --exec option and the vulnerable placeholder, enabling the unsanitized filepath to inject arbitrary commands. This requires user interaction and high attack complexity but no privileges, potentially allowing the attacker to achieve high-impact confidentiality, integrity, and availability violations through arbitrary code execution on the victim's Windows system.
The yt-dlp security advisory (GHSA-45hg-7f49-5h56), release notes for version 2025.07.21, and the fixing commit (959ac99e98c3215437e573c22d64be42d361e863) confirm the issue is resolved in yt-dlp 2025.07.21. Windows users unable to upgrade are advised to avoid the --exec option entirely and instead use --write-info-json or --dump-json to generate JSON output for processing by external scripts or commands.
Details
- CWE(s)