CVE-2025-54072
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2025-54072. We'll provide specific mitigation strategies based on your environment and risk profile.
CVSS Score
V3.1Attack Vector Metrics
Impact Metrics
Description
yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.
Available Exploits
Related News
Affected Products
Affected Versions:
EU Vulnerability Database
Monitored by ENISA for EU cybersecurity
ENISA Analysis
yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21.
Affected Products (ENISA)
ENISA Scoring
CVSS Score (3.1)
EPSS Score
ENISA References
Data provided by ENISA EU Vulnerability Database. Last updated: July 23, 2025
Social Media Intelligence
Real-time discussions and threat intelligence from social platforms
yt-dlp release 2025.07.21 - Release: https://github.com/yt-dlp/yt-dlp/releases/tag/2025.07.21 https://github.com/yt-dlp/yt-dlp#release-files - Github/Documentation: https://github.com/yt-dlp/yt-dlp#readme - PyPi: https://pypi.org/project/yt-dlp - Donate: [Collaborators.md](https://github.com/yt-dlp/yt-dlp/blob/master/Collaborators.md#collaborators) # Changelog ### Important changes - **Default behaviour changed from `--mtime` to `--no-mtime`** yt-dlp no longer applies the server modified time to downloaded files by default. [Read more](https://github.com/yt-dlp/yt-dlp/issues/12780) - Security: [[CVE-2025-54072](https://nvd.nist.gov/vuln/detail/CVE-2025-54072)] [Fix `--exec` placeholder …