{"id":"CVE-2025-54072","summary":"yt-dlp allows `--exec` command injection when using placeholder on Windows","details":"yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.","aliases":["GHSA-45hg-7f49-5h56"],"modified":"2026-07-15T01:48:52.969083262Z","published":"2025-07-22T21:34:43.408Z","database_specific":{"cwe_ids":["CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54072.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/yt-dlp/yt-dlp/releases/tag/2025.07.21"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54072.json"},{"type":"ADVISORY","url":"https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-45hg-7f49-5h56"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54072"},{"type":"FIX","url":"https://github.com/yt-dlp/yt-dlp/commit/959ac99e98c3215437e573c22d64be42d361e863"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/yt-dlp/yt-dlp","events":[{"introduced":"0"},{"fixed":"035b1ece8f382358f5503bf5011ca098f6c9eaf9"},{"fixed":"959ac99e98c3215437e573c22d64be42d361e863"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2025.07.21"}],"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:*:*:*:*"}}],"versions":["2025.06.30","2025.06.25","2025.06.09","2025.05.22","2025.04.30","2025.03.31","2025.03.27","2025.03.26","2025.03.25","2025.03.21","2025.02.19","2025.01.26","2025.01.15","2025.01.12","2024.12.23","2024.12.13","2024.12.06","2024.12.03","2024.11.18","2024.11.04","2024.10.22","2024.10.07","2024.09.27","2024.08.06","2024.08.01","2024.07.25","2024.07.16","2024.07.09","2024.07.08","2024.07.07","2024.07.02","2024.07.01","2024.05.27","2024.05.26","2024.04.09","2024.03.10","2023.12.30","2023.11.16","2023.11.14","2023.10.13","2023.10.07","2023.09.24","2023.07.06","2023.06.22","2023.06.21","2023.03.04","2023.03.03","2023.02.17","2023.01.06","2023.01.02","2022.11.11","2022.10.04","2022.09.01","2022.08.19","2022.08.14","2022.08.08","2022.07.18","2022.06.29","2022.06.22.1","2022.06.22","2022.05.18","2022.04.08","2022.03.08.1","2022.02.04","2022.02.03","2021.12.27","2021.12.25","2021.12.01","2021.11.10.1","2021.11.10","2021.10.22","2021.10.10","2021.10.09","2021.09.25","2021.09.02","2021.08.10","2021.08.02","2021.07.24","2021.07.21","2021.07.07","2021.06.23","2021.06.09","2021.06.08","2021.06.01","2021.05.11","2021.04.22","2021.04.11","2021.04.03","2021.03.24.1","2021.03.24","2021.03.15","2021.03.07","2021.03.03.2","2021.03.01","2021.02.24","2021.02.19","2021.02.15","2021.02.09","2021.02.04","2021.01.29","2021.01.20","2021.01.16","2021.01.14","2021.01.12","2021.01.10","2021.01.09","2021.01.08","2021.01.07"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54072.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}