CVE-2025-66203
Published: 27 December 2025
Summary
CVE-2025-66203 is a critical-severity OS Command Injection (CWE-78) vulnerability in Lemon8866 Streamvault. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 27.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of administrator inputs to the /admin/api/saveConfig endpoint to block malicious yt-dlp arguments that enable OS command injection and RCE.
Requires timely identification, reporting, and correction of the RCE flaw, such as applying the patch in StreamVault version 251126.
Restricts classes of inputs to the configuration endpoint, such as prohibiting shell metacharacters or excessive lengths, to mitigate command injection risks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables OS command injection (CWE-78) for arbitrary remote code execution as an authenticated low-privilege admin, directly mapping to command interpreter abuse (T1059), exploitation for privilege escalation (T1068), and exploitation of remote services (T1210).
NVD Description
StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments…
more
are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.
Deeper analysisAI
CVE-2025-66203 is a remote code execution (RCE) vulnerability affecting StreamVault, a video download integration solution, in versions prior to 251126. The issue resides in the stream-vault application (SpiritApplication), where administrators can configure yt-dlp arguments through the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and later used in YtDlpUtil.java to construct command lines for executing yt-dlp, enabling OS command injection (CWE-78). The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity.
An authenticated attacker with low privileges, such as an administrator, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting malicious yt-dlp arguments via the configuration endpoint, the attacker can inject arbitrary commands that execute during subsequent yt-dlp invocations. This achieves full system compromise, granting high-impact confidentiality, integrity, and availability violations across the affected scope due to the changed scope (S:C).
The vulnerability has been patched in StreamVault version 251126. Official mitigation details are available in the GitHub security advisory at https://github.com/lemon8866/StreamVault/security/advisories/GHSA-c747-q388-3v6m and the release notes at https://github.com/lemon8866/StreamVault/releases/tag/251226, which security practitioners should review for upgrade instructions and any additional hardening recommendations.
Details
- CWE(s)