CVE-2025-43858 (GCVE-0-2025-43858)
Vulnerability from cvelistv5
Published
2025-04-24 18:04
Modified
2025-04-24 19:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bluegrams | YoutubeDLSharp |
Version: >= 1.0.0-beta4, < 1.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43858",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T19:03:58.754946Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T19:04:13.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "YoutubeDLSharp",
"vendor": "Bluegrams",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0-beta4, \u003c 1.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T18:04:48.447Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5"
},
{
"name": "https://github.com/Bluegrams/YoutubeDLSharp/commit/b6051372bd5af30f95f73de47d9bc71c3a07de0f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Bluegrams/YoutubeDLSharp/commit/b6051372bd5af30f95f73de47d9bc71c3a07de0f"
},
{
"name": "https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50"
}
],
"source": {
"advisory": "GHSA-2jh5-g5ch-43q5",
"discovery": "UNKNOWN"
},
"title": "YoutubeDLSharp allows command injection on windows system due to non sanitized arguments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-43858",
"datePublished": "2025-04-24T18:04:48.447Z",
"dateReserved": "2025-04-17T20:07:08.555Z",
"dateUpdated": "2025-04-24T19:04:13.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-43858\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-04-24T18:15:20.120\",\"lastModified\":\"2025-04-29T13:52:28.490\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2.\"},{\"lang\":\"es\",\"value\":\"YoutubeDLSharp es un contenedor para los descargadores de v\u00eddeo de l\u00ednea de comandos youtube-dl y yt-dlp. En versiones a partir de la 1.0.0-beta4 y anteriores a la 1.1.2, una conversi\u00f3n insegura de argumentos permite la inyecci\u00f3n de comandos maliciosos al iniciar `yt-dlp` desde un s\u00edmbolo del sistema en Windows con el valor `UseWindowsEncodingWorkaround` definido como verdadero (comportamiento predeterminado). Si un usuario utiliza m\u00e9todos integrados del archivo YoutubeDL.cs, el valor es verdadero por defecto y no se puede desactivar desde estos m\u00e9todos. Este problema se ha corregido en la versi\u00f3n 1.1.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L\",\"baseScore\":9.2,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.5,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"},{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://github.com/Bluegrams/YoutubeDLSharp/commit/b6051372bd5af30f95f73de47d9bc71c3a07de0f\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-43858\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-24T19:03:58.754946Z\"}}}], \"references\": [{\"url\": \"https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-24T19:04:10.771Z\"}}], \"cna\": {\"title\": \"YoutubeDLSharp allows command injection on windows system due to non sanitized arguments\", \"source\": {\"advisory\": \"GHSA-2jh5-g5ch-43q5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Bluegrams\", \"product\": \"YoutubeDLSharp\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.0.0-beta4, \u003c 1.1.2\"}]}], \"references\": [{\"url\": \"https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5\", \"name\": \"https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Bluegrams/YoutubeDLSharp/commit/b6051372bd5af30f95f73de47d9bc71c3a07de0f\", \"name\": \"https://github.com/Bluegrams/YoutubeDLSharp/commit/b6051372bd5af30f95f73de47d9bc71c3a07de0f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50\", \"name\": \"https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-77\", \"description\": \"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-24T18:04:48.447Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-43858\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-24T19:04:13.866Z\", \"dateReserved\": \"2025-04-17T20:07:08.555Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-04-24T18:04:48.447Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
fkie_cve-2025-43858
Vulnerability from fkie_nvd
Published
2025-04-24 18:15
Modified
2025-04-29 13:52
Severity ?
Summary
YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/Bluegrams/YoutubeDLSharp/commit/b6051372bd5af30f95f73de47d9bc71c3a07de0f | ||
| security-advisories@github.com | https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50 | ||
| security-advisories@github.com | https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5 | ||
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5 |
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting `yt-dlp` from a commands prompt running on Windows OS with the `UseWindowsEncodingWorkaround` value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2."
},
{
"lang": "es",
"value": "YoutubeDLSharp es un contenedor para los descargadores de v\u00eddeo de l\u00ednea de comandos youtube-dl y yt-dlp. En versiones a partir de la 1.0.0-beta4 y anteriores a la 1.1.2, una conversi\u00f3n insegura de argumentos permite la inyecci\u00f3n de comandos maliciosos al iniciar `yt-dlp` desde un s\u00edmbolo del sistema en Windows con el valor `UseWindowsEncodingWorkaround` definido como verdadero (comportamiento predeterminado). Si un usuario utiliza m\u00e9todos integrados del archivo YoutubeDL.cs, el valor es verdadero por defecto y no se puede desactivar desde estos m\u00e9todos. Este problema se ha corregido en la versi\u00f3n 1.1.2."
}
],
"id": "CVE-2025-43858",
"lastModified": "2025-04-29T13:52:28.490",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-24T18:15:20.120",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/Bluegrams/YoutubeDLSharp/commit/b6051372bd5af30f95f73de47d9bc71c3a07de0f"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
},
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
ghsa-2jh5-g5ch-43q5
Vulnerability from github
Published
2025-04-23 22:25
Modified
2025-04-24 19:20
Severity ?
VLAI Severity ?
Summary
YoutubeDLSharp allows command injection on windows system due to non sanitized arguments
Details
Summary
This vulnerability only apply when running on a Windows OS.
An unsafe conversion of arguments allows the injection of a malicous commands when starting yt-dlp from a commands prompt.
[!CAUTION] NOTE THAT DEPENDING ON THE CONTEXT AND WHERE THE LIBRARY IS USED, THIS MAY HAVE MORE SEVERE CONSEQUENCES. FOR EXAMPLE, A USER USING THE LIBRARY LOCALLY IS A LOT LESS VULNERABLE THAN AN ASP.NET APPLICATION ACCEPTING INPUTS FROM A NETWORK/INTERNET.
Details
The vulnerability have been implemented in a commit (https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50) 3 year ago to fix a issue with unicode characters on Windows. ( In the latest version at the time of writing this, the code seems to have moved here : https://github.com/Bluegrams/YoutubeDLSharp/blob/b2f7968a2ef06a9c7b2c212785cfeac0b187b6d8/YoutubeDLSharp/YoutubeDLProcess.cs#L87 ) In this commit, a new way of starting yt-dlp was implemented, method that was defined as the default behaviour.
When the internal method ConvertToArgs get called, the application will test multiples conditions to decide on how the yt-dlp application should be started. The condition we are interesed in, as well a the default one on Windows, is at line 99 . Inside the if statement, we can see that insead of directly calling the yt-dlp binary, a command prompt is opened to run yt-dlp.
The problem arises when you realize that both arguments in the ConvertToArgs method may be provided by an untrusted client. Since the documentation of YoutubeDLSharp does not warn developers about this behavior, they might assume that the library handles this safely by ensuring that the arguments are secure to run inside a command prompt. Instead, the two potentially malicious arguments are directly appended to the command string without any sanitization (see line 104 and 107).
PoC
For this example, I'm going to use the version 1.1.1 and a method inside YoutubeDL.cs. Assuming you are running on a Windows OS, this method will by default use a CMD to open yt-dlp.
```c# using YoutubeDLSharp;
public async Task> GetMediaInformation()
{
YoutubeDL youtubeDl = new YoutubeDL();
// Fetch media information using a badly crafted "url" (escaped)
return await youtubeDl.RunVideoDataFetch("https://example.com/\" & start calc.exe");
}
At the call of `GetMediaInformation`, the method `RunVideoDataFetch` will be called, internally this method will call the vulnerable method [`ConvertToArgs`] resulting in the following string:
/C chcp 65001 >nul 2>&1 && "yt-dlp.exe" --external-downloader "m3u8:native" --external-downloader-args "ffmpeg:-nostats -loglevel 0" -o "C:\Users\\Documents\GitHub\\\bin\Release\net8.0\%(title)s [%(id)s]_%(epoch)s.%(ext)s" --force-overwrites --no-part -i --ignore-config --ffmpeg-location "ffmpeg.exe" --exec "echo outfile: {}" -- "https://example.com/" & start calc.exe"
```
[!NOTE] Some text have been replaced by
<hidden>inside the command.
The important part here is at the end of the command, we can see "https://example.com/" & start calc.exe", if we compare it with our
malicious URL https://example.com/" & start calc.exe, we can see that the method added quotes at the start and the end of the string. However, our additional quote in the URL followed by the & character made it so the CMD interprets what follows the & as a new command, thus executing yt-dlp AND the very dangerous start calc.exe 😊.
Here is a screenshot of the processes using another malicious url https://example.com/" & start msinfo32
Impact
Every users running a effected version on a Windows OS with the UseWindowsEncodingWorkaround value defined to true (default behaviour). If you are using build-in methods form the YoutubeDL.cs file, the value is true by default and you cannot disable it from theses methods.
Patch
Upgrade to v.1.1.2 or higher of YoutubeDLSharp. The UseWindowsEncodingWorkaround property has been removed entirely in v.1.1.2.
Workaround
(only for v1.1.1 or lower, please upgrade to the latest version)
Using YoutubeDLProcess
If you are using a YoutubeDLProcess object directly to communicate with yt-dlp, you can disable UseWindowsEncodingWorkaround to mitigate the vulnerability. Doing so will execute the yt-dlp binary directly. However, you will lose support for Unicode characters.
Example:
c#
YoutubeDLProcess youtubeDLProc = new YoutubeDLProcess()
{
UseWindowsEncodingWorkaround = false
};
Sanitizing url
If you want to keep support for Unicode characters or are using methods from the YoutubeDL.cs file, you would need to manually sanitize your inputs until a version with a fix is released. For URL sanitization, I managed to prevent the exploitation of the PoC by creating this method. However, I can't guarantee it would work in every case.
c#
public static string? SanitizeUrl(string url)
{
// Parse the URL using Uri
if (Uri.TryCreate(url, UriKind.Absolute, out Uri? urlUri))
{
// According to the microsoft docs getting the absolute url append
// all of the others fields, theses fields get URI escaped when you GET them
// (https://learn.microsoft.com/en-us/dotnet/api/system.uri.query?view=net-8.0#remarks)
return urlUri.AbsoluteUri;
}
// Invalid url format
return null;
}
This works because Uri properties have special characters like spaces and " escaped into percent numbers like %20, thus turning our malicous url into https://example.com/%22%20&%20start%20calc.exe.
Note, however, that if you modify the options with which yt-dlp is run, you need to ensure every option is also sanitized (assuming they are taken from a untrusted user input). This method won't work as these options are not URLs.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "YoutubeDLSharp"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0-beta4"
},
{
"fixed": "1.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43858"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-23T22:25:20Z",
"nvd_published_at": "2025-04-24T18:15:20Z",
"severity": "CRITICAL"
},
"details": "## Summary\nThis vulnerability only apply when running on a Windows OS.\nAn unsafe conversion of arguments allows the injection of a malicous commands when starting `yt-dlp` from a commands prompt.\n\n\u003e [!CAUTION]\n\u003e **NOTE THAT DEPENDING ON THE CONTEXT AND WHERE THE LIBRARY IS USED, THIS MAY HAVE MORE SEVERE CONSEQUENCES. FOR EXAMPLE, A USER USING THE LIBRARY LOCALLY IS A LOT LESS VULNERABLE THAN AN ASP.NET APPLICATION ACCEPTING INPUTS FROM A NETWORK/INTERNET.**\n\n## Details\n\nThe vulnerability have been implemented in a commit (https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50) 3 year ago to fix a issue with unicode characters on Windows. ( In the latest version at the time of writing this, the code seems to have moved here : https://github.com/Bluegrams/YoutubeDLSharp/blob/b2f7968a2ef06a9c7b2c212785cfeac0b187b6d8/YoutubeDLSharp/YoutubeDLProcess.cs#L87 )\nIn this commit, a new way of starting yt-dlp was implemented, method that was defined as the default behaviour. \n\nWhen the internal method [`ConvertToArgs`](https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50#diff-8ec44b4ade6ce6ed38ebf7e765dc86c426984a18304cd1cd320bf92500133c88R64) get called, the application will test multiples conditions to decide on how the yt-dlp application should be started. The condition we are interesed in, as well a the default one on Windows, is at [line 99](https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50#diff-8ec44b4ade6ce6ed38ebf7e765dc86c426984a18304cd1cd320bf92500133c88R99) . Inside the `if` statement, we can see that insead of directly calling the `yt-dlp` binary, a command prompt is opened to run `yt-dlp`. \n\n**The problem arises when you realize that both arguments in the `ConvertToArgs` method may be provided by an untrusted client.** Since the documentation of YoutubeDLSharp does not warn developers about this behavior, they might assume that the library handles this safely by ensuring that the arguments are secure to run inside a command prompt. Instead, the two potentially malicious arguments are directly appended to the command string without any sanitization (see line [104](https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50#diff-8ec44b4ade6ce6ed38ebf7e765dc86c426984a18304cd1cd320bf92500133c88R104) and [107](https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50#diff-8ec44b4ade6ce6ed38ebf7e765dc86c426984a18304cd1cd320bf92500133c88R107)).\n\n\n\n## PoC\nFor this example, I\u0027m going to use the version `1.1.1` and a method inside [YoutubeDL.cs](https://github.com/Bluegrams/YoutubeDLSharp/blob/b2f7968a2ef06a9c7b2c212785cfeac0b187b6d8/YoutubeDLSharp/YoutubeDL.cs). Assuming you are running on a Windows OS, this method will by default use a CMD to open yt-dlp.\n\n```c#\nusing YoutubeDLSharp;\n\npublic async Task\u003cRunResult\u003cVideoData\u003e\u003e GetMediaInformation()\n{\n YoutubeDL youtubeDl = new YoutubeDL();\n\t// Fetch media information using a badly crafted \"url\" (escaped)\n\treturn await youtubeDl.RunVideoDataFetch(\"https://example.com/\\\" \u0026 start calc.exe\");\n}\n```\nAt the call of `GetMediaInformation`, the method `RunVideoDataFetch` will be called, internally this method will call the vulnerable method [`ConvertToArgs`] resulting in the following string: \n```\n/C chcp 65001 \u003enul 2\u003e\u00261 \u0026\u0026 \"yt-dlp.exe\" --external-downloader \"m3u8:native\" --external-downloader-args \"ffmpeg:-nostats -loglevel 0\" -o \"C:\\Users\\\u003chidden\u003e\\Documents\\GitHub\\\u003chidden\u003e\\\u003chidden\u003e\\bin\\Release\\net8.0\\%(title)s [%(id)s]_%(epoch)s.%(ext)s\" --force-overwrites --no-part -i --ignore-config --ffmpeg-location \"ffmpeg.exe\" --exec \"echo outfile: {}\" -- \"https://example.com/\" \u0026 start calc.exe\"\n```\n\u003e[!NOTE]\n\u003e Some text have been replaced by `\u003chidden\u003e` inside the command.\n\nThe important part here is at the end of the command, we can see `\"https://example.com/\" \u0026 start calc.exe\"`, if we compare it with our \nmalicious URL `https://example.com/\" \u0026 start calc.exe`, we can see that the method added quotes at the start and the end of the string. However, our additional quote in the URL followed by the `\u0026` character made it so the CMD interprets what follows the `\u0026` as a new command, thus executing `yt-dlp` **AND** the *very* dangerous `start calc.exe` \ud83d\ude0a.\n\nHere is a screenshot of the processes using another malicious url `https://example.com/\" \u0026 start msinfo32`\n\n\n## Impact\nEvery users running a effected version on a Windows OS with the [`UseWindowsEncodingWorkaround`](https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50#diff-8ec44b4ade6ce6ed38ebf7e765dc86c426984a18304cd1cd320bf92500133c88R44) value defined to true (default behaviour). If you are using build-in methods form the [YoutubeDL.cs](https://github.com/Bluegrams/YoutubeDLSharp/blob/b2f7968a2ef06a9c7b2c212785cfeac0b187b6d8/YoutubeDLSharp/YoutubeDL.cs) file, the value is `true` by default and **you cannot disable it from theses methods**.\n\n## Patch\n\nUpgrade to **v.1.1.2 or higher** of YoutubeDLSharp. The `UseWindowsEncodingWorkaround` property has been removed entirely in v.1.1.2.\n\n## Workaround\n(only for v1.1.1 or lower, please upgrade to the latest version)\n\n### Using `YoutubeDLProcess`\nIf you are using a `YoutubeDLProcess` object directly to communicate with yt-dlp, you can disable `UseWindowsEncodingWorkaround` to mitigate the vulnerability. Doing so will execute the yt-dlp binary directly. However, you will lose support for Unicode characters.\n**Example:**\n```c#\nYoutubeDLProcess youtubeDLProc = new YoutubeDLProcess()\n{\n UseWindowsEncodingWorkaround = false\n};\n```\n\n### Sanitizing url\nIf you want to keep support for Unicode characters or are using methods from the [YoutubeDL.cs](https://github.com/Bluegrams/YoutubeDLSharp/blob/b2f7968a2ef06a9c7b2c212785cfeac0b187b6d8/YoutubeDLSharp/YoutubeDL.cs) file, you would need to manually sanitize your inputs until a version with a fix is released. For URL sanitization, I managed to prevent the exploitation of the PoC by creating this method. However, I can\u0027t guarantee it would work in every case.\n```c#\n\t\tpublic static string? SanitizeUrl(string url)\n\t\t{\n\t\t\t// Parse the URL using Uri\n\t\t\tif (Uri.TryCreate(url, UriKind.Absolute, out Uri? urlUri))\n\t\t\t{\n\t\t\t\t// According to the microsoft docs getting the absolute url append\n\t\t\t\t// all of the others fields, theses fields get URI escaped when you GET them\n\t\t\t\t// (https://learn.microsoft.com/en-us/dotnet/api/system.uri.query?view=net-8.0#remarks) \n\t\t\t\treturn urlUri.AbsoluteUri;\n\t\t\t}\n\t\t\t// Invalid url format\n\t\t\treturn null;\n\t\t}\n```\nThis works because Uri properties have special characters like spaces and `\"` escaped into percent numbers like `%20`, thus turning our malicous url into `https://example.com/%22%20\u0026%20start%20calc.exe`.\n**Note, however, that if you modify the options with which yt-dlp is run, you need to ensure every option is also sanitized (assuming they are taken from a untrusted user input). This method won\u0027t work as these options are not URLs.**",
"id": "GHSA-2jh5-g5ch-43q5",
"modified": "2025-04-24T19:20:03Z",
"published": "2025-04-23T22:25:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43858"
},
{
"type": "WEB",
"url": "https://github.com/Bluegrams/YoutubeDLSharp/commit/b6051372bd5af30f95f73de47d9bc71c3a07de0f"
},
{
"type": "WEB",
"url": "https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50"
},
{
"type": "PACKAGE",
"url": "https://github.com/Bluegrams/YoutubeDLSharp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "YoutubeDLSharp allows command injection on windows system due to non sanitized arguments"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…