CVE-2025-43858: YoutubeDLSharp allows command injection on windows system due to non sanitized arguments
(updated )
This vulnerability only apply when running on a Windows OS.
An unsafe conversion of arguments allows the injection of a malicous commands when starting yt-dlp from a commands prompt.
[!CAUTION] NOTE THAT DEPENDING ON THE CONTEXT AND WHERE THE LIBRARY IS USED, THIS MAY HAVE MORE SEVERE CONSEQUENCES. FOR EXAMPLE, A USER USING THE LIBRARY LOCALLY IS A LOT LESS VULNERABLE THAN AN ASP.NET APPLICATION ACCEPTING INPUTS FROM A NETWORK/INTERNET.
References
- github.com/Bluegrams/YoutubeDLSharp
- github.com/Bluegrams/YoutubeDLSharp/commit/b6051372bd5af30f95f73de47d9bc71c3a07de0f
- github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50
- github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5
- github.com/advisories/GHSA-2jh5-g5ch-43q5
- nvd.nist.gov/vuln/detail/CVE-2025-43858
Code Behaviors & Features
Detect and mitigate CVE-2025-43858 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →