CVE-2025-54072 – This vulnerability allows remote code execution... (How to Fix)

📋 TL;DR

This vulnerability allows remote code execution on Windows systems when using yt-dlp with the --exec option and default placeholder. Attackers can craft malicious filenames that bypass sanitization, executing arbitrary commands. Only Windows users of yt-dlp versions 2025.06.25 and below who use the --exec option are affected.

💻 Affected Systems

Products:

yt-dlp

Versions: 2025.06.25 and below

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using --exec option with default placeholder or {} on Windows systems. Linux/macOS systems are not affected.

📦 What is this software?

Yt Dlp by Yt Dlp Project

View all CVEs affecting Yt Dlp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the Windows machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or execution of arbitrary commands in the context of the yt-dlp user, potentially leading to data exfiltration or installation of malware.

🟢

If Mitigated

No impact if --exec option is avoided or proper input validation is implemented through external scripts.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to download maliciously named files and use --exec option. This is a bypass of previous CVE-2024-22423 mitigation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.07.21

Vendor Advisory: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-45hg-7f49-5h56

Restart Required: No

Instructions:

1. Upgrade yt-dlp to version 2025.07.21 or later using: pip install --upgrade yt-dlp
2. Verify installation with: yt-dlp --version
3. No system restart required.

🔧 Temporary Workarounds

Avoid --exec option

windows

Completely avoid using the --exec option on Windows systems

Do not use --exec in any yt-dlp commands

Use JSON output with external processing

all

Use --write-info-json or --dump-json options and process output with external scripts

yt-dlp --write-info-json <URL>
yt-dlp --dump-json <URL>

🧯 If You Can't Patch

Immediately stop using --exec option on all Windows systems
Implement strict file naming policies and input validation for downloaded content

🔍 How to Verify

Check if Vulnerable:

Check yt-dlp version with: yt-dlp --version. If version is 2025.06.25 or below and you use --exec on Windows, you are vulnerable.

Check Version:

yt-dlp --version

Verify Fix Applied:

After upgrade, verify version is 2025.07.21 or higher with: yt-dlp --version

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns from yt-dlp process
Suspicious file operations following yt-dlp downloads

Network Indicators:

Outbound connections from yt-dlp process to unexpected destinations
DNS queries for command and control domains

SIEM Query:

process_name:yt-dlp AND command_line:*--exec* AND os:Windows

📊 Metadata

CVE ID: CVE-2025-54072

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.07% exploit probability (20.2th percentile)

Published: July 22, 2025

Last Updated: October 9, 2025

🔗 References

https://github.com/yt-dlp/yt-dlp/commit/959ac99e98c3215437e573c22d64be42d361e863 Patch
https://github.com/yt-dlp/yt-dlp/releases/tag/2025.07.21 Release Notes
https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-45hg-7f49-5h56 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54072, you might also want to check these: