CVE-2025-54072HIGH 8.1EPSS p41.0%

CVE-2025-54072CVE-2025-54072

Description

yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.54% probability of exploitation · percentile 41.0% · 2026-06-19T12:03:05Z
Published2025-07-22
Last modified2025-10-09

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/yt-dlp/yt-dlp/commit/959ac99e98c3215437e573c22d64be42d361e863
  2. https://github.com/yt-dlp/yt-dlp/releases/tag/2025.07.21
  3. https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-45hg-7f49-5h56

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-26331
CVE
CVE-2025-43858
CVE
CVE-2025-66203
LOLbin
yt-dlp
CVE
CVE-2025-53131
CVE
CVE-2025-54802
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.