CVE-2025-54072
RCETitle: Yt-Dlp Project Yt-Dlp RCE
Proof Of Concept
No public PoC currently indexed for CVE-2025-54072.
Vulnerability Summary
CVE-2025-54072: yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Associated Attack Patterns (CAPEC)
Total: PatternsNo specific attack patterns mapped.
CVE-2025-54072 Exploits & PoCs (Proof Of Concept)
No public PoCs found in our database for this CVE.
Vulnerability data or affected products updated.
Vulnerability data updated via NVD.
Vulnerability first announced in NVD.
Attack Vector Matrix
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Stack
No specific products linked.