Detections
Analytics

CVE-2025-43858

critical

Description

YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2.

References

https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5

https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50

https://github.com/Bluegrams/YoutubeDLSharp/commit/b6051372bd5af30f95f73de47d9bc71c3a07de0f

Details

Source: Mitre, NVD

Published: 2025-04-24

Updated: 2025-04-24

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:P

Severity: Medium

CVSS v3

Base Score: 9.2

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Severity: Critical

EPSS

EPSS: 0.00019