CVE-2025-43858: Critical Command Injection in YoutubeDLSharp on Windows

Overview

CVE-2025-43858 is a critical vulnerability discovered in YoutubeDLSharp, a .NET wrapper around the popular command-line video downloaders youtube-dl and yt-dlp. This issue affects versions from 1.0.0-beta4 to prior to 1.1.2 and allows for command injection on Windows systems under specific conditions.

Technical Details

The vulnerability is categorized under CWE-77 and CWE-78, which refer to improper neutralization of special elements in command inputs. Specifically, YoutubeDLSharp passes arguments to yt-dlp without proper sanitization when executed via the command prompt on Windows.

This behavior becomes critical due to the use of the UseWindowsEncodingWorkaround flag, which is set to true by default. Users invoking built-in methods from YoutubeDL.cs cannot override this setting, making them especially vulnerable. As a result, a malicious input could trigger unintended command execution, potentially compromising confidentiality, integrity, and availability on the target system.

CVSS Score and Severity

The vulnerability has been assigned a CVSS v3.1 base score of 9.2, classifying it as CRITICAL. The vector string is:

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

This indicates that the attack can be carried out locally with low complexity, no privileges, and no user interaction, while resulting in high impact on confidentiality and integrity.

Affected Versions

• Product: YoutubeDLSharp
• Vendor: Bluegrams
• Versions Affected: >= 1.0.0-beta4 and < 1.1.2

Mitigation

The vulnerability has been addressed in version 1.1.2. All users of affected versions should:

• Upgrade to v1.1.2 immediately
• Review usage of built-in command execution methods in their implementations
• Avoid relying on defaults that obscure execution context or encoding behavior

References

• Security Advisory
• Patch Commit 1
• Patch Commit 2

Conclusion

CVE-2025-43858 highlights the risks of executing command-line utilities without stringent input validation. Developers embedding third-party tools like yt-dlp should ensure that all input is carefully sanitized to avoid introducing critical security flaws. Updating to the latest version is essential for maintaining a secure software environment.