{"id":"CVE-2025-43858","summary":"YoutubeDLSharp allows command injection on windows system due to non sanitized arguments","details":"YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2.","aliases":["GHSA-2jh5-g5ch-43q5"],"modified":"2026-04-10T05:27:08.056919Z","published":"2025-04-24T18:04:48.447Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/43xxx/CVE-2025-43858.json","cwe_ids":["CWE-77","CWE-78"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/43xxx/CVE-2025-43858.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-43858"},{"type":"FIX","url":"https://github.com/Bluegrams/YoutubeDLSharp/commit/b6051372bd5af30f95f73de47d9bc71c3a07de0f"},{"type":"FIX","url":"https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bluegrams/youtubedlsharp","events":[{"introduced":"0"},{"fixed":"b6051372bd5af30f95f73de47d9bc71c3a07de0f"}]},{"type":"GIT","repo":"https://github.com/bluegrams/youtubedlsharp","events":[{"introduced":"0"},{"fixed":"fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50"}]}],"versions":["v.1.0.0","v.1.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43858.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"}]}